cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1835
Views
0
Helpful
11
Replies

"easy vpn" problem after upgrade to 8.3

Anyone

I have a scenario of 3 x asa5505, asa1, asa2 and asa3.

asa1 is the central point  (server if you like). asa2 has a site to site vpn to asa1and works fine (asa1 and 2 has fixed public ip's)

asa3 however does not have a public IP but is sitting behind another (Xyzel) dsl modem/firewall. I have used EasyVPN on asa3 earlier, and all worked fine. After upgrading asa1 to 8.3(2) the tunnel from asa3 to asa1 never comes back up. All I see in the log (ASDM) on asa1 is the following:

"Date and Time stamp" "source IP" Maximum concurrent IKE negotiations exceeded!

I have re-run the Wizard in ASDM on both asa3 and asa1 (easyvpn wizard on asa3, and remote access wizard on asa1)

Anyone?

br

hkl

11 REPLIES 11
Highlighted
Cisco Employee

Re: "easy vpn" problem after upgrade to 8.3

Hi Kristian,

What is the exact message that you are getting on the ASA? Please post it along with the syslog ID. Also, have you tried rebooting the ASA to see if it helped?

Thanks and regards,

Prapanch

Highlighted

Re: "easy vpn" problem after upgrade to 8.3

praprama wrote:

Hi Kristian,

What is the exact message that you are getting on the ASA? Please post it along with the syslog ID. Also, have you tried rebooting the ASA to see if it helped?

Thanks and regards,

Prapanch

lity

Severity

Message

Time

Hello, and thanks for your responce.

Yes I tried a restart, no difference. Here is a copy of the syslog msg.

br

Kristian

asa-3-713191 local4

error

nov 15 2010 08:02:38: %%asa-3-713191: ip = 88.90.17.178, maximum concurrent ike negotiations exceeded!

15 Nov 2010, 08:02:4

Highlighted
Cisco Employee

Re: "easy vpn" problem after upgrade to 8.3

please attach the show tech if possible, i am particularly interested in the memory, cpu and the blocks

you can just paste the output of

show mem

show cpu

show blocks

Highlighted

Re: "easy vpn" problem after upgrade to 8.3

jathaval wrote:

please attach the show tech if possible, i am particularly interested in the memory, cpu and the blocks

you can just paste the output of

show mem

show cpu

show blocks


Hello

Attached a file with the requested info. This is from asa1. Cannot access asa3 until the vpn is there

br

Kristian

Highlighted
Cisco Employee

Re: "easy vpn" problem after upgrade to 8.3

Hi Kristian,

Please post the outputs of "show cry  isa sa" and "show cry isa stats". It seems like an IKE resource  exhauistion:

http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html

It looks seimilar to http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml#@ID but the version you are running should ideally have the fix.

I would suggest you to open up a TAC case to investigate further and collect all necessary information.

Regards,

Prapanch

Highlighted

Re: "easy vpn" problem after upgrade to 8.3

praprama wrote:

Hi Kristian,

Please post the outputs of "show cry  isa sa" and "show cry isa stats". It seems like an IKE resource  exhauistion:

http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html

It looks seimilar to http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml#@ID but the version you are running should ideally have the fix.

I would suggest you to open up a TAC case to investigate further and collect all necessary information.

Regards,

Prapanch

Hello

Attached a rtf file with the requested info. I will investigate your links, and conntact TAC if this is not only due to my lack of competence.

hkl

Highlighted
Cisco Employee

Re: "easy vpn" problem after upgrade to 8.3

Hi Kristian,

Could you also get the output of "debug menu ike 28 1"?

Regards,

Prapanch

Highlighted

Re: "easy vpn" problem after upgrade to 8.3

praprama wrote:

Hi Kristian,

Could you also get the output of "debug menu ike 28 1"?

Regards,

Prapanch

Hello Prapanch

Here is the requested outpu:

anubis# deb menu ike 28 1

IKE simultaneous P1 negotiations Stats:

  current negotiation count   = 50

  device current limit        = 50 (device default)

  device default limit        = 50

  highwater negotiation count = 50

anubis#

br
Kristian

Highlighted
Cisco Employee

Re: "easy vpn" problem after upgrade to 8.3

Hi,

So the reason why you are getting that log is because we are past the maximum of IKE negotiations the device can handle by default.

Now, the reason for the failure seems to be "Auth Fails" from the output of "show cry isa stats" as the counter for that is large.

I think the best option is to open up a TAC case to investigate further. But please do let me know the results of it. I will be interested in the resolution.

Regards,

Prapanch

Highlighted
Beginner

Re: "easy vpn" problem after upgrade to 8.3

Was there any resolution to this issue? I just upgraded to 8.3 and I'm having a similar issue with the easy vpn not connecting.

Highlighted

Re: "easy vpn" problem after upgrade to 8.3

To all who helped out here, sorry for the long silence.

I ended up, resetting the ASA to factory default (which was a struggle in it self for some reason) and rebuilding the config step by step.

Works fine now. I'll be glad to forward my configs to anyone who could need them.

hkl

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here