Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2854
Views
0
Helpful
2
Replies

VPN sessions disconnecting freequently thru Cisco ASA 5520 firewall

Ramu Ch
Level 1
Level 1

‎04-07-2011 07:50 AM - edited ‎03-11-2019 01:18 PM

Dear Team,


In our organization ,recently we are facing a issue with  VPN connections are disconnecting abruptly in reandom time periods ( 5Min,15Min,1Hr also).

We have verified in our SysLog Messages shown as follows:

2011-04-07 19:33:59    Local4.Debug    172.16.1.68    %ASA-7-710005: UDP request discarded from 172.16.40.124/138 to inside:172.16.255.255/138

Here 172.16.40.124 is a LAN IP address,is connecting to Client VPN ,abruptly connecting is getting dropped.
Here 172.16.1.68 is Cisco ASA 5520 inside IP address.

Few Points to be noticed :
- The same was worked well in Cisco Pix 515E Firewall ,After changed to Cisco ASA 5520,it is giving the issue.

- All Ports are allowed for outbound traffic with a Source Network 172.16.40.0/24 to their  Client VPN.

- This issue is giving for other Subnet Users i.e 172.16.33.0/24 to their Cleint VPN sessions & I allowed all Ports for them for Outbound traffic.

- Pls confirm is there  any feature in ASA is casuing for terminating the sessions which was not in Cisco PIX 515E.

- ASA version is 8.0(3)

Regards
Ramu
CMC LTD


Labels:
0 Helpful
2 Replies 2

Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-07-2011 01:38 PM

Hi Ramu,

I think that the particular syslog you have mentioned in the post, may not be cause of VPN disconnection.

It seems that the ip 172.16.40.124 is trying to initiate a connection to the subnet(172.16.0.0/16) broadcast ip: 172.16.255.255. I think that this is the reason that that packet was discarded.

Could you please tell us the number of vpn peers allowed to the ASA as per the output of "show version"?

Also can you check the output of "show vpn-sessiondb remote" to see the number of users online, and when a person gets disconnected, please check the output again to see if he is no longer in the list, and also check the count of remote access vpn users again.

-Shrikant

0 Helpful

Ramu Ch
Level 1
Level 1
In response to Shrikant Sundaresh

‎04-07-2011 08:52 PM

Thanks Srikanth.

The Issue is arising when a User ,behind the Cisco ASA Firewall initiating a VPN request to his Client VPN server (Which is at Internet ,cleint Place).

I have allowed all Ports from Inside to Cleint VPN IP address.

ASA is not configured as a VPN server,It is configured for Filtering a Traffic.

I)

NEW-TCL-ILL-FW# sh vpn-sessiondb remote
INFO: There are presently no active sessions

2) SH  Version output :

NEW-TCL-ILL-FW# sh version

Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"

NEW-TCL-ILL-FW up 90 days 19 hours

Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   :  CN1000-MC-BOOT-2.00
                             SSL/IKE microcode:  CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode  :  CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0  : address is 001e.f762.d380, irq 9
1: Ext: GigabitEthernet0/1  : address is 001e.f762.d381, irq 9
2: Ext: GigabitEthernet0/2  : address is 001e.f762.d382, irq 9
3: Ext: GigabitEthernet0/3  : address is 001e.f762.d383, irq 9
4: Ext: Management0/0       : address is 001e.f762.d37f, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 750
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1215L20S
Running Activation Key: 0xd0134977 0x14b7c6fd 0xb411f51c 0xbf54f070 0x0f1aa9ab
Configuration register is 0x1
Configuration last modified by enable_15 at 14:30:42.396 UTC Thu Apr 7 2011

Pls suggest ,what could be the cause

Reagrds

Ramu

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card