Cisco ASA cli notification %ASA-3-340001: Vnet-proxy handshake error..

IamSamSaul · ‎06-17-2022

Hello,

I'm getting the following messages on cli of my Cisco ASA. I have tried to search on this message but could not find anything which can guide me to correct reason.

Jun 17 2022 14:34:15: %ASA-3-340001: Vnet-proxy handshake error 009 - request: tcp conn (0x00007fbf94011b30)
Jun 17 2022 14:34:54: %ASA-3-340001: Vnet-proxy handshake error 009 - request: tcp conn (0x00007fbf94006b20)
Jun 17 2022 14:35:37: %ASA-3-340001: Vnet-proxy handshake error 009 - request: tcp conn (0x00007fbf9000e490)
Jun 17 2022 14:36:19: %ASA-3-340001: Vnet-proxy handshake error 009 - request: tcp conn (0x00007fbf900146a0)
Jun 17 2022 14:36:51: %ASA-3-340001: Vnet-proxy handshake error 009 - request: tcp conn (0x00007fbf7cd9f110)
Jun 17 2022 14:37:25: %ASA-3-340001: Vnet-proxy handshake error 009 - request: tcp conn (0x00007fbf7caaa730)
Jun 17 2022 14:38:01: %ASA-3-340001: Vnet-proxy handshake error 009 - request: tcp conn (0x00007fbf8c006060)

The Cisco ASA can connect to Cisco Smart Licensing portal and licensed properly. I read somewhere that this might happen if Cisco ASA can't reach the Cisco Smart Licensing cloud.

I hope someone can point me to the right direction.

Thanks & Regards,

Sam

Rob Ingram · ‎06-17-2022

@IamSamSaul have you seen this link for troubleshooting smart licensing issues? https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/213932-asa-smart-licensing-failures-due-to-cert.html

Confirm which ASA version you are running also.

Possibly a certificate issue, refer to the guide and check your certificates. Refer to this link https://www.cisco.com/c/en/us/support/docs/field-notices/703/fn70319.html the QuoVadis Root CA certificatge may need updating on the ASA.

IamSamSaul · ‎06-17-2022

Hi Rob,

Thanks for your reply. I had already found the first URL and followed the steps. My Cisco ASA version is:

Cisco Adaptive Security Appliance Software Version 9.17(1)

As you see below, the device has successfully registered to Cisco Smart Licensing cloud.

Smart Licensing is ENABLED

Utility:
Status: DISABLED

Data Privacy:
Sending Hostname: yes
Callhome hostname privacy: DISABLED
Smart Licensing hostname privacy: DISABLED
Version privacy: DISABLED

Transport:
Type: Callhome

Registration:
Status: REGISTERED
Smart Account: ############
Virtual Account: DEFAULT
Export-Controlled Functionality: ALLOWED
Initial Registration: SUCCEEDED on Mar 04 2022 10:18:11 UTC
Last Renewal Attempt: None
Next Renewal Attempt: Aug 31 2022 10:18:09 UTC
Registration Expires: Mar 04 2023 10:13:06 UTC

License Authorization:
Status: AUTHORIZED on Jun 17 2022 12:58:29 UTC
Last Communication Attempt: SUCCEEDED on Jun 17 2022 12:58:29 UTC
Next Communication Attempt: Jul 17 2022 12:58:28 UTC
Communication Deadline: Sep 15 2022 12:53:13 UTC

Thanks & Regard,

Sam

MHM Cisco World · ‎06-17-2022

Vnet-proxy from Azura are you config any Web filter ? I don't have a lot info. about the Azura but start from their.

igor-rudman · ‎02-28-2025

had the same problem. It happens because ASA VM in Azure can't access special Azure nodes with target IPs 168.63.129.16 and 169.254.169.254.

These nodes are used by the Azure VM agent running on the ASA VM.
Just added static routes for both destination IPs forcing the rooting via the ASA interface marked as "primary" in the Azure environment. This solved the issue for me