03-01-2023 02:17 AM
Hello everybody,
I upgraded our customer's ASA5555 cluster from 9.14(3)15 ---> 9.14(4)22.
The upgrade procedure was without issues.
After the upgrade the customer called me and told me that all AnyConnect
logins were impossible.
I compared the configuration before and after the upgrade and saw that
all IP pools and the references in the tunnel groups to theses pools were
missing:
...
ip local pool pool4inos 10.10.129.60 mask 255.255.255.255 (missing)
ip local pool pool4erne 10.10.129.52-10.10.129.55 mask 255.255.255.255 (missing)
ip local pool pool4mis 10.10.129.64-10.10.129.127 mask 255.255.255.255 (missing)
...
tunnel-group vpn4inos general-attributes
address-pool pool4inos (missing)
...
tunnel-group vpn4erne general-attributes
address-pool pool4erne (missing)
...
tunnel-group vpn4sws general-attributes
address-pool pool4admin (missing)
...
I guess that the syntax for the IP Pools was changed from the old to the
new release and so the lines were deleted.
I had no time for troubleshooting and downgraded the cluster and
regenerated these lines and AnyConnect worked again.
I would expect such information in the release notes to prevent such
"surprises". I ask myself how tested Cisco the new release(?)
The customer is a hospital ...
Please explain how we can prevent such problems in the future.
Thanks a lot!
Bye
R.
03-02-2023 12:35 AM
Tried adding the 'ip local pool' configuration on an ASA running version code higher than 9.14.3.x, but the configuration was not accepted,
ASAv2(config)# ip local pool pool4inos 10.10.129.60 mask 255.255.255.255
Invalid Netmask
ASAv2(config)# ip local pool pool4erne 10.10.129.52-10.10.129.55 mask 255.255.255.255
Invalid Netmask
ASAv2(config)# ip local pool pool4mis 10.10.129.64-10.10.129.127 mask 255.255.255.255
Invalid Netmask
The netmask specifies the total number of clients who will be assigned addresses from the local pool. Always do try to have a netmask that matches the local pool address ranges.
03-02-2023 12:55 AM
As per the Cisco Secure Firewall ASA Series Command Reference for 'ip local pool poolname first-address-last-address [ mask mask ]',
mask - Specifies a subnet mask for the pool of addresses. You cannot use a 255.255.255.254 (/31) or 255.255.255.255 (/32) subnet mask.
03-02-2023 06:01 AM
Hi manabans,
thanks for your reply!
The problem is that the connecting devices are medical devices that need exactly the same fix IP address at every login by AnyConnect. So we configured pools of one IP address (255.255.255.255). If there is another way to approach this with rel. 9.14(4)22 or higher I would like to try this.
Do you have an idea how this could be solved?
Thanks a lot!
Bye
Rene
03-02-2023 06:32 AM
@swscco001 if you want to assign the same IP address to an anyconnect user, you can assign the fixed IP address by RADIUS on a per user basis. Example: https://integratingit.wordpress.com/2017/01/01/cisco-asa-anyconnect-vpn-with-static-client-ip-address/
03-02-2023 05:11 AM
I upgraded an ASAv installment a month ago where I experienced the same issue, or more accurately a similar issue.
After the upgrade all ip local pool configuration was removed from the tunnel group / connection profiles. However, they were still present in the ASA configuration so I only needed to associate them with their respective group-policies or connection profiles.
05-29-2023 01:58 AM - edited 05-29-2023 01:59 AM
Hi,
We have experienced same problem after ASA upgrade ( 9.14.4 ).
Another strange experience was that since we also updated asdm to the latest 7.19.1.94, we could not set up the vpn pool from asdm. We had to it from CLI.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide