03-06-2014 06:13 PM - edited 03-11-2019 08:54 PM
I saw error message in Cisco ASA 5525-X.
Any body have any idea?
%ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error (HWErrAddr= 0x194FE5B4, Core= 0, HwErrCode= 23, IstatReg= 0x8, PciErrReg= 0x0, CoreErrStat= 0xD, CoreErrAddr= 0x2FAFE5B4, Doorbell Size[0]= 2048, DoorBell Outstanding[0]= 0, Doorbell Size[1]= 0, DoorBell Outstanding[1]= 0, SWReset= 1536)
%ASA-4-402127: CRYPTO: The ASA is skipping the writing of latest Crypto Archive File as the maximum # of files ( 2 ) allowed have been written to < disk0:/crypto_archive >. Please archive & remove files from < disk0:/crypto_archive > if you want more Crypto Archive Files saved
03-06-2014 06:56 PM
It seems to be related to bug ID: CSCtn56501, but I don't understand what I need to do.
https://tools.cisco.com/bugsearch/bug/CSCtn56501
03-07-2014 12:48 AM
Hi,
According to the Bug description it would seem that there is no workaround mentioned for this.
So I guess the only thing would be to upgrade the ASA to one of the software levels that are listed as software that should correct this bug.
Its strange though that it lists the only 8.2 software levels as the known affected ones. But the ASA model you have does not even support that software. The first (lowest) software listed that your ASA would support is the 8.6(1)2 and then there is ofcourse the 9.x series softwares. I guess it might be possible that this is not the same bug.
You did not mention your current software level though so I am not sure what you are already running on the ASA.
I guess one important thing would also be if you or your users are expiriencing any problems with the mentioned services like VPN or Management connections?
If in doubt I guess you should really open a TAC case to get better information on your problem and the best solution to correct this.
The above log messages seem to suggest that there is 2 files in your Flash memory and the ASA will not be able to generate more files (I guess because of this error situation). You could naturally copy these files to some host/server and then remove them from the Flash to make room for new ones. Atleast this is what the log messages seems to suggest to do.
I think you should be able to view the contents of the folder with the command
dir disk0:/crypto_archive
You could then copy the files from the Flash and delete them.
I guess these files might be something that the Cisco TAC could take a look when if you open a case.
- Jouni
03-07-2014 01:20 AM
My version was 9.1.1.
When I was in this version, I deleted the 2 files but it will appears again when I login to IPSec VPN and access Internet from IPSec VPN client.
2 Files that I deleted.
crypto_archive/crypto_eng0_arch_1.bin
crypto_archive/crypto_eng0_arch_2.bin
I upgrade ASA to 9.1.2, and the problem still appear.
I then upgrade ASA to 9.1.4, and the error message disappear, the 2 files were also gone.
The problem is I still cannot access Internet from my IPSec VPN client.
03-07-2014 01:33 AM
Hi,
Your Internet connection problem from the VPN Client is most likely because of some configurations that you are missing.
If you are using Full Tunnel VPN Client which essentially means that when your VPN connection is active then all traffic is tunneled to the VPN connection.
If this is the case then you would atleast need Dynamic PAT for your VPN users.
If I were to presume that your external interface is called "outside" then a sample configuration might be like this
object network VPN-PAT
subnet
nat (outside,outside) dynamic interface
This would do Dynamic PAT for your VPN users which are connecting through "outside" interface and connecting towards "outside" interface also (Internet)
You would also have to make sure you have this command on your ASA
same-security-traffic permit intra-interface
This would enable traffic to enter and leave through the same interface. This essentially happens when your VPN user traffic is coming through the VPN connection from "outside" and is heading out to the Internet through the "outside" also.
But if the above is the problem is impossible for me to say without more information of your current ASA configuration.
- Jouni
03-07-2014 01:56 AM
My Config:
ASA Version 9.1(4)
!
hostname MYFIREWALL
ip local pool myvpn-ippool 10.10.9.65 mask 255.255.255.255
interface GigabitEthernet0/0
speed 1000
duplex full
nameif OUTSIDE
security-level 0
ip address 123.123.123.123 255.255.255.240
ipv6 enable
interface GigabitEthernet0/4
speed 1000
duplex full
nameif INTERNAL-MGT
security-level 100
ip address 10.10.10.254 255.255.255.0
ipv6 enable
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network MYVPN-IP-NAT-PUB
host 10.10.9.65
object network MYVPN-IP-PUB
host xx.xx.xx.65
access-list MYVPN-ACL extended permit ip any any
object network MYVPN-IP-NAT-PUB
nat (OUTSIDE,OUTSIDE) static MYVPN-IP-PUB
route OUTSIDE 0.0.0.0 0.0.0.0 123.123.123.169 1
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpool policy
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
group-policy MYVPN-SET1 internal
group-policy MYVPN-SET1 attributes
wins-server none
dns-server value xx.xx.xx.xx xx.xx.xx.xx
vpn-filter value MYVPN-ACL
vpn-tunnel-protocol ikev1
group-lock value MYVPN-SET1
default-domain value myvpn.com
tunnel-group MYVPN-SET1 type remote-access
tunnel-group MYVPN-SET1 general-attributes
address-pool myvpn-ippool
default-group-policy MYVPN-SET1
tunnel-group MYVPN-SET1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group MYVPN-SET1 ppp-attributes
authentication pap
authentication ms-chap-v2
03-07-2014 06:19 AM
Hi,
You seem to have the configurations I suggested. You have also configured VPN Filter ACL though you have allowed all traffic.
The problem might be that you have some other NAT configuration that is preventing these connections from working.
For example some typical ASA NAT0 configuration might even cause this problem.
You could look for a "nat" configuration that has "source static any any" and has the VPN Pool network in the "destination static" section. If you find one its likely that this NAT configuration is being matched when your VPN Clients try to connect to the Internet.
I would suggest having a VPN test connection to the ASA and monitoring the ASA logs through ASDM filtering for the VPN Client IP and looking what happens to the connections towards Internet. Perhaps they are blocked or perhaps the above mentioned type of NAT configuration might actually forward the traffic to the wrong interface of the ASA.
- Jouni
03-10-2014 08:01 PM
The IPSec VPN client problem is related to ASA version. I had tried 9.1.1, 9.1.2 and 9.1.4. All version 9 will cause problem.
I downgrade ASA version to 8.6.1, the problem disappear.
I will log a case to Cisco via my vendor.
Thanks all for the dicussion.
03-10-2014 07:58 PM
The error will disappear after upgrade version to 9.1.4.
I tried version 9.1.2 but the error message would still appear.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide