Re: ASA Upgrade deletes IP pools for AnyConnect

swscco001 · ‎03-01-2023

Hello everybody,

I upgraded our customer's ASA5555 cluster from 9.14(3)15 ---> 9.14(4)22.

The upgrade procedure was without issues.

After the upgrade the customer called me and told me that all AnyConnect
logins were impossible.

I compared the configuration before and after the upgrade and saw that
all IP pools and the references in the tunnel groups to theses pools were
missing:

...
ip local pool pool4inos 10.10.129.60 mask 255.255.255.255                             (missing)
ip local pool pool4erne 10.10.129.52-10.10.129.55 mask 255.255.255.255      (missing)
ip local pool pool4mis 10.10.129.64-10.10.129.127 mask 255.255.255.255      (missing)
...
tunnel-group vpn4inos general-attributes
 address-pool pool4inos       (missing)
...
tunnel-group vpn4erne general-attributes
 address-pool pool4erne      (missing)
...
tunnel-group vpn4sws general-attributes
 address-pool pool4admin    (missing)
...

I guess that the syntax for the IP Pools was changed from the old to the
new release and so the lines were deleted.

I had no time for troubleshooting and downgraded the cluster and
regenerated these lines and AnyConnect worked again.

I would expect such information in the release notes to prevent such
"surprises". I ask myself how tested Cisco the new release(?)
The customer is a hospital ...

Please explain how we can prevent such problems in the future.

Thanks a lot!

Bye
R.

manabans · ‎03-02-2023

Tried adding the 'ip local pool' configuration on an ASA running version code higher than 9.14.3.x, but the configuration was not accepted,

ASAv2(config)# ip local pool pool4inos 10.10.129.60 mask 255.255.255.255
Invalid Netmask
ASAv2(config)# ip local pool pool4erne 10.10.129.52-10.10.129.55 mask 255.255.255.255
Invalid Netmask
ASAv2(config)# ip local pool pool4mis 10.10.129.64-10.10.129.127 mask 255.255.255.255
Invalid Netmask

The netmask specifies the total number of clients who will be assigned addresses from the local pool. Always do try to have a netmask that matches the local pool address ranges.

manabans · ‎03-02-2023

As per the Cisco Secure Firewall ASA Series Command Reference for 'ip local pool poolname first-address-last-address [ mask mask ]',
mask - Specifies a subnet mask for the pool of addresses. You cannot use a 255.255.255.254 (/31) or 255.255.255.255 (/32) subnet mask.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/int-ipu-commands.html#wp8742962700

swscco001 · ‎03-02-2023

Hi manabans,

thanks for your reply!

The problem is that the connecting devices are medical devices that need exactly the same fix IP address at every login by AnyConnect. So we configured pools of one IP address (255.255.255.255). If there is another way to approach this with rel. 9.14(4)22 or higher I would like to try this.

Do you have an idea how this could be solved?

Thanks a lot!

Bye
Rene

Rob Ingram · ‎03-02-2023

@swscco001 if you want to assign the same IP address to an anyconnect user, you can assign the fixed IP address by RADIUS on a per user basis. Example: https://integratingit.wordpress.com/2017/01/01/cisco-asa-anyconnect-vpn-with-static-client-ip-address/

Marius Gunnerud · ‎03-02-2023

I upgraded an ASAv installment a month ago where I experienced the same issue, or more accurately a similar issue.

After the upgrade all ip local pool configuration was removed from the tunnel group / connection profiles. However, they were still present in the ASA configuration so I only needed to associate them with their respective group-policies or connection profiles.

--
Please remember to select a correct answer and rate helpful posts

KAROLY KOHEGYI · ‎05-29-2023

Hi,

We have experienced same problem after ASA upgrade ( 9.14.4 ).

Another strange experience was that since we also updated asdm to the latest 7.19.1.94, we could not set up the vpn pool from asdm. We had to it from CLI.

Regards,