ASA upgrade has broke my network. (9.1.1)

mcroft · ‎01-29-2013

Hi,

I was running 8.4.4 on as ASA5510, everthing chugging away nicely. I have SSL anyconnect clients connnecting on this ASA and also a site-to-site (IPSec) VPN too.

After an upgrade to 9.1.(1) I noticed the following:

AnyConnect Clients can still connect and access INSIDE servers. (great!)

THe Site to Site VPN is fine and both sites have full connectivity. (great!)

HOWEVER, AnyConnect clients cannot connect to servers across the site-to-site vpn.

This is a pain to troubleshoot, as the First leg (SSL) and the scond (IPSex) are both obviously encrypeted.

I have no idea (other than to roll back) how this can be fixed.

Any help, greatly appreciated.

thanks

Matt

Marcin Latosiewicz · ‎01-29-2013

Matt,

we had similar problems in the past. Vide:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty32412

This particular one IS fixed in 9.1 however a few other interesting bugs (especially around NAT) are also fixed between 8.4.4 and 8.4.5 (and consequently 9.0/9.1 releases). e.g.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtq47028

Open up a TAC case, we'll help you figure it out.

M.

mcroft · ‎01-30-2013

Thank you for the response Marcin, it looks like the first bug "ASA: Anyconnect u-turn to ipsec tunnel fails"

I fear this will not be fixed as we are running the latest O/S.

Do you know of any troubleshooting/dubug/show commands I can run to confirm this ?

thanks again

Matt

Marcin Latosiewicz · ‎01-30-2013

Matt,

CSCty32412 <--- I have my doubts, you are running a version that fixes this problem.

Hence my suspicion it's something else (NAT possibly)

"show asp drop" + "cap ASP type asp all" + "show nat" + "debug nat" are places to start.

M.