Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1843
Views
0
Helpful
5
Replies

Changing SSL to IPSec in ASA5510

Go to solution
Michael Seden
Level 1
Level 1

‎02-12-2013 10:30 AM

I've got a Data Center with an ASA5510, which has both a SSL tunnel for AnyConnect and an IPSec tunnel going to an ASA5505 at the Office in the outside interface.

For remote users with ASA5505's I've got two tunnels built, one to the DC and one to the office. No problems, can talk to both locations. For users that have to use Anyconnect, there is seamless access to the data center, but when the IP/TCP and  SSL headers are removed, and the ASA see's it is going to the office, is in not getting re-incapsulated by IPSec to go back out the IPSec tunnel.

Has anyone encountered this and is there a solution?

Thanks,

Mike Seden

Business Technology Architects

photo.JPGphoto1.JPG

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ROBERTO TACCON
Level 4
Level 4

‎02-13-2013 11:57 AM

Which software version are you using ?

check this BUG CSCty32412

https://supportforums.cisco.com/thread/2149125

ASA: Anyconnect u-turn to ipsec tunnel fails

Symptom:

ASA after a upgrade to 8.4.3.1 or later, anyconnect traffic that will uturn (hairpin) to a ipsec lan

to lan tunnel is dropped.

The show asp drop shows the following reason:

Expired VPN context (vpn-context-expired)

No log message is generated for the drops.

Issue is seen on ASA 8.2.5.26 as well

Conditions:

Anyconnect client uturns into a ipsec lan to lan tunnel.

Fixed-In

8.4(4)

9.0(1)

9.1(1)

9.0(0.99)

8.4(3.105)

100.8(33.3)M

100.8(0.126)M

8.2(5.29)

100.7(13.73)M

100.7(6.78)M

100.8(11.20)M

100.9(2.1)M

100.8(27.7)M

100.9(0.1)M

8.4(4.99)

100.8(34.1)M

View solution in original post

0 Helpful
5 Replies 5

Go to solution
micturne
Level 4
Level 4

‎02-13-2013 08:52 AM

Thanks for posting Mike and great use of whiteboard shots.  I'll run this one by the megaminds and see what we can find for you.

0 Helpful

Go to solution
admin11111
Level 4
Level 4
In response to micturne

‎02-13-2013 09:05 AM

I'm glad there is a mega-mind out there because mine is fixin' to explode! I am just about ready to start a TAC case with it. I would be glad to share configs if needed, but will have to go through the 'Change' Procedure to make any. Thanks for your reply and letting me know that there is hope. My Obi-Wan makes me whiteboard everything....

0 Helpful

Go to solution
ROBERTO TACCON
Level 4
Level 4

‎02-13-2013 11:57 AM

Which software version are you using ?

check this BUG CSCty32412

https://supportforums.cisco.com/thread/2149125

ASA: Anyconnect u-turn to ipsec tunnel fails

Symptom:

ASA after a upgrade to 8.4.3.1 or later, anyconnect traffic that will uturn (hairpin) to a ipsec lan

to lan tunnel is dropped.

The show asp drop shows the following reason:

Expired VPN context (vpn-context-expired)

No log message is generated for the drops.

Issue is seen on ASA 8.2.5.26 as well

Conditions:

Anyconnect client uturns into a ipsec lan to lan tunnel.

Fixed-In

8.4(4)

9.0(1)

9.1(1)

9.0(0.99)

8.4(3.105)

100.8(33.3)M

100.8(0.126)M

8.2(5.29)

100.7(13.73)M

100.7(6.78)M

100.8(11.20)M

100.9(2.1)M

100.8(27.7)M

100.9(0.1)M

8.4(4.99)

100.8(34.1)M

0 Helpful

Go to solution
Michael Seden
Level 1
Level 1
In response to ROBERTO TACCON

‎02-13-2013 01:22 PM

I see that ASA version 8.4(3)8 is what is currently running.

0 Helpful

Go to solution
Michael Seden
Level 1
Level 1
In response to ROBERTO TACCON

‎02-13-2013 01:47 PM

I used the bugtool to see what was what, and the powers that be decided we need to upgrade. Our current version definately hits in the bug zone. Thank you so much for your help.

0 Helpful
Customers Also Viewed These Support Documents