05-05-2011 03:21 PM - edited 03-11-2019 01:30 PM
I just upgraded my cisco asa 5510 from 8.2.1 to 8.4.1. Now my VPN is no longer working. I can connect to it but can connect to anything from there. The heard the asa creates a log from the upgrade to show me what part of the config doesn't carry over. How can I find this log?
05-05-2011 03:53 PM
Hi,
Sounds like there might be an issue with nat exemption after the upgrade
Here is a link to the 8.3 migration guide that is still relevant to 8.4
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
The command to see the migration errors is "show startup-config errors"
Let me know if you have any questions.
Thanks,
Loren
05-05-2011 03:55 PM
Thanks, this is what I found
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201105041246.log' Reading from flash... !!!! REAL IP MIGRATION: WARNING In this version access-lists used in 'access-group', 'class-map', 'dynamic-filter classify-list', 'aaa match' will be migrated from using IP address/ports as seen on interface, to their real values. If an access-list used by these features is shared with per-user ACL then the original access-list has to be recreated. INFO: Note that identical IP addresses or overlapping IP ranges on different interfaces are not detectable by automated Real IP migration. If your deployment contains such scenarios, please verify your migrated configuration is appropriate for those overlapping addresses/ranges. Please also refer to the ASA 8.3 migration guide for a complete explanation of the automated migration process. INFO: MIGRATION - Saving the startup configuration to file INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_1_0_startup_cfg.sav' *** Output from config line 4, "ASA Version 8.2(1) " WARNING: MIGRATION: NAT Exempt command is encountered in config. Static NATs which overlap with NAT Exempt source are not migrated. Please check migrated ACLs for accuracy. *** Output from config line 272, "access-group outside_acc..." WARNING: MIGRATION: NAT Exempt command is encountered in config. Static NATs which overlap with NAT Exempt source are not migrated. Please check migrated ACLs for accuracy. *** Output from config line 273, "access-group inside_acce..." WARNING: MIGRATION: NAT Exempt command is encountered in config. Static NATs which overlap with NAT Exempt source are not migrated. Please check migrated ACLs for accuracy. *** Output from config line 274, "access-group DMZ_access_..." WARNING: This command will not take effect until interface 'management' has been assigned an IPv4 address *** Output from config line 346, "ssh Corporate 255.255.25..." WARNING: MIGRATION: NAT Exempt command is encountered in config. Static NATs which overlap with NAT Exempt source are not migrated. Please check migrated ACLs for accuracy. WARNING: MIGRATION: NAT Exempt command is encountered in config. Static NATs which overlap with NAT Exempt source are not migrated. Please check migrated ACLs for accuracy. *** Output from config line 448, "service-policy IPS-polic..." NAT migration logs: The following 'nat' command didn't have a matching 'global' rule on interface 'DMZ' and was not migrated. nat (inside) 3 Caesar 255.255.255.255 The following 'nat' command didn't have a matching 'global' rule on interface 'Kerio' and was not migrated. nat (inside) 3 Caesar 255.255.255.255 The following 'nat' command didn't have a matching 'global' rule on interface 'DMZ' and was not migrated. nat (inside) 2 Hark-WAN 255.0.0.0 The following 'nat' command didn't have a matching 'global' rule on interface 'Kerio' and was not migrated. nat (inside) 2 Hark-WAN 255.0.0.0 INFO: NAT migration completed. Real IP migration logs: ACL has been migrated to real-ip version
05-05-2011 04:05 PM
Hi,
Based on that output the some or all of your nat exemption configuration was not migrated.
Since the migration tool detected overlaps between your static nat statements and the nat exemption some or all of the original the nat exemption commands were not migrated.
Also can you review the current (8.3) nat configuration to see if any of the statements have the unidirectional keyword defined.
If you find the unidirectional keywordyou may need to remove it to restore functionality.
For security reasons I would recommend against pasting any of this output in the forum.
Thanks,
Loren
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide