Firewall Error Message

limlayhin · ‎03-06-2014

I saw error message in Cisco ASA 5525-X.

Any body have any idea?

%ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error (HWErrAddr= 0x194FE5B4, Core= 0, HwErrCode= 23, IstatReg= 0x8, PciErrReg= 0x0, CoreErrStat= 0xD, CoreErrAddr= 0x2FAFE5B4, Doorbell Size[0]= 2048, DoorBell Outstanding[0]= 0, Doorbell Size[1]= 0, DoorBell Outstanding[1]= 0, SWReset= 1536)

%ASA-4-402127: CRYPTO: The ASA is skipping the writing of latest Crypto Archive File as the maximum # of files ( 2 ) allowed have been written to < disk0:/crypto_archive >. Please archive & remove files from < disk0:/crypto_archive > if you want more Crypto Archive Files saved

limlayhin · ‎03-06-2014

It seems to be related to bug ID: CSCtn56501, but I don't understand what I need to do.

https://tools.cisco.com/bugsearch/bug/CSCtn56501

Jouni Forss · ‎03-07-2014

Hi,

According to the Bug description it would seem that there is no workaround mentioned for this.

So I guess the only thing would be to upgrade the ASA to one of the software levels that are listed as software that should correct this bug.

Its strange though that it lists the only 8.2 software levels as the known affected ones. But the ASA model you have does not even support that software. The first (lowest) software listed that your ASA would support is the 8.6(1)2 and then there is ofcourse the 9.x series softwares. I guess it might be possible that this is not the same bug.

You did not mention your current software level though so I am not sure what you are already running on the ASA.

I guess one important thing would also be if you or your users are expiriencing any problems with the mentioned services like VPN or Management connections?

If in doubt I guess you should really open a TAC case to get better information on your problem and the best solution to correct this.

The above log messages seem to suggest that there is 2 files in your Flash memory and the ASA will not be able to generate more files (I guess because of this error situation). You could naturally copy these files to some host/server and then remove them from the Flash to make room for new ones. Atleast this is what the log messages seems to suggest to do.

I think you should be able to view the contents of the folder with the command

dir disk0:/crypto_archive

You could then copy the files from the Flash and delete them.

I guess these files might be something that the Cisco TAC could take a look when if you open a case.

- Jouni

limlayhin · ‎03-07-2014

My version was 9.1.1.

When I was in this version, I deleted the 2 files but it will appears again when I login to IPSec VPN and access Internet from IPSec VPN client.

2 Files that I deleted.

crypto_archive/crypto_eng0_arch_1.bin

crypto_archive/crypto_eng0_arch_2.bin

I upgrade ASA to 9.1.2, and the problem still appear.

I then upgrade ASA to 9.1.4, and the error message disappear, the 2 files were also gone.

The problem is I still cannot access Internet from my IPSec VPN client.

Jouni Forss · ‎03-07-2014

Hi,

Your Internet connection problem from the VPN Client is most likely because of some configurations that you are missing.

If you are using Full Tunnel VPN Client which essentially means that when your VPN connection is active then all traffic is tunneled to the VPN connection.

If this is the case then you would atleast need Dynamic PAT for your VPN users.

If I were to presume that your external interface is called "outside" then a sample configuration might be like this

object network VPN-PAT

subnet

nat (outside,outside) dynamic interface

This would do Dynamic PAT for your VPN users which are connecting through "outside" interface and connecting towards "outside" interface also (Internet)

You would also have to make sure you have this command on your ASA

same-security-traffic permit intra-interface

This would enable traffic to enter and leave through the same interface. This essentially happens when your VPN user traffic is coming through the VPN connection from "outside" and is heading out to the Internet through the "outside" also.

But if the above is the problem is impossible for me to say without more information of your current ASA configuration.

- Jouni

limlayhin · ‎03-07-2014

My Config:

ASA Version 9.1(4)

!

hostname MYFIREWALL

ip local pool myvpn-ippool 10.10.9.65 mask 255.255.255.255

interface GigabitEthernet0/0

speed 1000

duplex full

nameif OUTSIDE

security-level 0

ip address 123.123.123.123 255.255.255.240

ipv6 enable

interface GigabitEthernet0/4

speed 1000

duplex full

nameif INTERNAL-MGT

security-level 100

ip address 10.10.10.254 255.255.255.0

ipv6 enable

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network MYVPN-IP-NAT-PUB

host 10.10.9.65

object network MYVPN-IP-PUB

host xx.xx.xx.65

access-list MYVPN-ACL extended permit ip any any

object network MYVPN-IP-NAT-PUB

nat (OUTSIDE,OUTSIDE) static MYVPN-IP-PUB

route OUTSIDE 0.0.0.0 0.0.0.0 123.123.123.169 1

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map OUTSIDE_map interface OUTSIDE

crypto ca trustpool policy

crypto ikev1 enable OUTSIDE

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

group-policy MYVPN-SET1 internal

group-policy MYVPN-SET1 attributes

wins-server none

dns-server value xx.xx.xx.xx xx.xx.xx.xx

vpn-filter value MYVPN-ACL

vpn-tunnel-protocol ikev1

group-lock value MYVPN-SET1

default-domain value myvpn.com

tunnel-group MYVPN-SET1 type remote-access

tunnel-group MYVPN-SET1 general-attributes

address-pool myvpn-ippool

default-group-policy MYVPN-SET1

tunnel-group MYVPN-SET1 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group MYVPN-SET1 ppp-attributes

authentication pap

authentication ms-chap-v2

Jouni Forss · ‎03-07-2014

Hi,

You seem to have the configurations I suggested. You have also configured VPN Filter ACL though you have allowed all traffic.

The problem might be that you have some other NAT configuration that is preventing these connections from working.

For example some typical ASA NAT0 configuration might even cause this problem.

You could look for a "nat" configuration that has "source static any any" and has the VPN Pool network in the "destination static" section. If you find one its likely that this NAT configuration is being matched when your VPN Clients try to connect to the Internet.

I would suggest having a VPN test connection to the ASA and monitoring the ASA logs through ASDM filtering for the VPN Client IP and looking what happens to the connections towards Internet. Perhaps they are blocked or perhaps the above mentioned type of NAT configuration might actually forward the traffic to the wrong interface of the ASA.

- Jouni

limlayhin · ‎03-10-2014

The IPSec VPN client problem is related to ASA version. I had tried 9.1.1, 9.1.2 and 9.1.4. All version 9 will cause problem.

I downgrade ASA version to 8.6.1, the problem disappear.

I will log a case to Cisco via my vendor.

Thanks all for the dicussion.

limlayhin · ‎03-10-2014

The error will disappear after upgrade version to 9.1.4.

I tried version 9.1.2 but the error message would still appear.