cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2458
Views
0
Helpful
11
Replies

"easy vpn" problem after upgrade to 8.3

Anyone

I have a scenario of 3 x asa5505, asa1, asa2 and asa3.

asa1 is the central point  (server if you like). asa2 has a site to site vpn to asa1and works fine (asa1 and 2 has fixed public ip's)

asa3 however does not have a public IP but is sitting behind another (Xyzel) dsl modem/firewall. I have used EasyVPN on asa3 earlier, and all worked fine. After upgrading asa1 to 8.3(2) the tunnel from asa3 to asa1 never comes back up. All I see in the log (ASDM) on asa1 is the following:

"Date and Time stamp" "source IP" Maximum concurrent IKE negotiations exceeded!

I have re-run the Wizard in ASDM on both asa3 and asa1 (easyvpn wizard on asa3, and remote access wizard on asa1)

Anyone?

br

hkl

11 Replies 11

praprama
Cisco Employee
Cisco Employee

Hi Kristian,

What is the exact message that you are getting on the ASA? Please post it along with the syslog ID. Also, have you tried rebooting the ASA to see if it helped?

Thanks and regards,

Prapanch

praprama wrote:

Hi Kristian,

What is the exact message that you are getting on the ASA? Please post it along with the syslog ID. Also, have you tried rebooting the ASA to see if it helped?

Thanks and regards,

Prapanch

lity

Severity

Message

Time

Hello, and thanks for your responce.

Yes I tried a restart, no difference. Here is a copy of the syslog msg.

br

Kristian

asa-3-713191 local4

error

nov 15 2010 08:02:38: %%asa-3-713191: ip = 88.90.17.178, maximum concurrent ike negotiations exceeded!

15 Nov 2010, 08:02:4

please attach the show tech if possible, i am particularly interested in the memory, cpu and the blocks

you can just paste the output of

show mem

show cpu

show blocks

jathaval wrote:

please attach the show tech if possible, i am particularly interested in the memory, cpu and the blocks

you can just paste the output of

show mem

show cpu

show blocks


Hello

Attached a file with the requested info. This is from asa1. Cannot access asa3 until the vpn is there

br

Kristian

Hi Kristian,

Please post the outputs of "show cry  isa sa" and "show cry isa stats". It seems like an IKE resource  exhauistion:

http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html

It looks seimilar to http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml#@ID but the version you are running should ideally have the fix.

I would suggest you to open up a TAC case to investigate further and collect all necessary information.

Regards,

Prapanch

praprama wrote:

Hi Kristian,

Please post the outputs of "show cry  isa sa" and "show cry isa stats". It seems like an IKE resource  exhauistion:

http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html

It looks seimilar to http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml#@ID but the version you are running should ideally have the fix.

I would suggest you to open up a TAC case to investigate further and collect all necessary information.

Regards,

Prapanch

Hello

Attached a rtf file with the requested info. I will investigate your links, and conntact TAC if this is not only due to my lack of competence.

hkl

Hi Kristian,

Could you also get the output of "debug menu ike 28 1"?

Regards,

Prapanch

praprama wrote:

Hi Kristian,

Could you also get the output of "debug menu ike 28 1"?

Regards,

Prapanch

Hello Prapanch

Here is the requested outpu:

anubis# deb menu ike 28 1

IKE simultaneous P1 negotiations Stats:

  current negotiation count   = 50

  device current limit        = 50 (device default)

  device default limit        = 50

  highwater negotiation count = 50

anubis#

br
Kristian

Hi,

So the reason why you are getting that log is because we are past the maximum of IKE negotiations the device can handle by default.

Now, the reason for the failure seems to be "Auth Fails" from the output of "show cry isa stats" as the counter for that is large.

I think the best option is to open up a TAC case to investigate further. But please do let me know the results of it. I will be interested in the resolution.

Regards,

Prapanch

Was there any resolution to this issue? I just upgraded to 8.3 and I'm having a similar issue with the easy vpn not connecting.

To all who helped out here, sorry for the long silence.

I ended up, resetting the ASA to factory default (which was a struggle in it self for some reason) and rebuilding the config step by step.

Works fine now. I'll be glad to forward my configs to anyone who could need them.

hkl

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: