Please recommend me which OS version of ASA?

Thotsaphon Lueangwattanaphong — Mon, 11 Mar 2019 15:48:31 GMT

I've been using OS 8.0(3) on ASA for Dynamicmap. It's site to site VPN with hub and spokes environment. Hub router is using static ip address. Spoke routers are using dynamic ip addresses. The problem is that multiple tunnels of the same branch site are connecting to HQ. HQ will get stuck on that. Can't encrypt/decrypt. I did search. it would relate to these bugs.

<b>

CSCsg86538 Bug Details

Dynamic L2L tunnel fails if the remote peer ip is changed

None

Symptom:

Remote peer fails to re-establish the dynamic VPN tunnel once a new ip address is obtained. The

IKE phase II has to timeout on ASA side inorder to restablish the tunnel.

Conditions:

The peer ip address changes

Peer does not support IKE keepalive

Workaround:

Manually clear the ipsec peer on ASA

1st Found-In

7.0

7.2(1.9)

Fixed-In

7.0(6.29)

7.1(2.49)

7.2(2.20)

8.0(1.9)

8.0(2.7)

8.2(0.15)

########################

CSCsl51292 Bug Details

IPSEC VPN tunnel on 8.0.3 fails every couple days.

ASA running version 8.0.3, fails all IPSEC tunnels lan to lan and remote access vpn tunnels after 2 days or so. No logs from when it failed, but after it fails and turning on logging, can see that it fails Phase 1 MSG 4.

We see that the symptom of this problem shows up in show memory- where the Crypto free goes to 0%:

DMA memory:

Crypto free: 0 bytes ( 0%)

Crypto used: (26%)

This is not related to any SSL functionality that we can tell at this time.

Workaround:

Reload ASA

1st Found-In

8.0(3)

Fixed-In

8.0(3.10)

8.1(1.2)

7.2(4)

8.0(103.3)

7.2(3.22)

##########################

CSCso50996 Bug Details

ASA dropping the packet instead of encrypting it

Symptom:

ASA/PIX stops encrypting data to a remote IPSec peer (either L2L or Remote

Access).

Conditions:

The problem is that after an IPSec SA goes down and comes back up (including

phase 2 rekeys), it's possible that a duplicate vpn-context and classifier

entry are created and added to the ASA's ASP classifier table for crypto. The

ASA should only have a single ASP classifier/vpn-context per IPSec flow (ie.

inbound vs. outbound) in its database.

Workaround:

Reload the ASA.

1st Found-In

7.0

8.0(3)

7.2(4)

Fixed-In

7.2(4.1)

8.0(3.13)

8.0(103.11)

7.0(7.13)

7.1(2.70)

</b>

However,I can't use keepalive to solve this problem. Because third party routers have been using at branch sites. As CISCO document says keepalive works with cisco family. (grin)

You guys who can recommend me which IOS is stable enough for this kind of this scenario(dynamic map). Please advise.

TIA,

Toshi

Re: Please recommend me which OS version of ASA?

andrew.prince — Fri, 26 Jun 2009 07:35:08 GMT

Dynamic L2L have been around since verion 7.0 code. I run dynamic L2L on 7.2(4) with no issues.

HTH>

Re: Please recommend me which OS version of ASA?

cisco24x7 — Fri, 26 Jun 2009 10:54:00 GMT

No one can tell you which version will work in your environment because nobody understand your environment, except Cisco if you open TAC case with them. Just because 7.2(4) works in one environment does not mean it will work in yours especially when it comes to VPN INTEROPERABILITY.

topic Please recommend me which OS version of ASA? in Network Security

Please recommend me which OS version of ASA?

Re: Please recommend me which OS version of ASA?

Re: Please recommend me which OS version of ASA?