cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
219
Views
0
Helpful
2
Replies

Additional added objects to object-group called in an established VPN do not work on 901-k8 without a firewall reload

Dean Romanelli
Level 4
Level 4

Hi All,

I have about 110 5505's in the field. I just went through each unit and added two new subnets to the object-group that is called in the already established VPN tunnel to the data center.  I had no problems doing this except for when an ASA is using 901-k8 code.

What happens is I will add the new subnets to the object group, and then initiate pings from the data center side from a PC on the new interesting subnet,, and I get no replies.  What I end up needing to do is reload the far-end 5505, and when/if it comes back up, everything works fine.  It is every 901-k8 unit I have, without fail. I've tried clearing/bouncing the tunnel and that doesn't seem to matter. I've tried unapplying then reapplying the transform-set, which also didn't help. I've tried unapplying and reapplying management-access inside; No luck.  I log into the far-end 5505 ASDM sniffer and send pings from the interesting new subnet on the data center side, and I see them showing up in the 5505 but I get no replies on my local PC. I try to telnet from data center side new subnet into the 5505 and I see the attempt on the sniffer showing "cisco asa flow terminated by tcp intercept." So the traffic is getting there, over the tunnel (because telnet traffic wouldn't be allowed in otherwise), it just seems like the 5505 is confused on how to talk back.

If possible, I'd like a less intrusive way of getting this to work without needing to reload the units, as I am physically 6,000 miles away from most of the 901-k8's and god forbid they don't come back up after the reload.

Any insight is appreciated.

Thanks.

2 Replies 2

slicerpro
Level 1
Level 1

Can you please share some sketch topology and snippet configs?

Hi,

I ended up finding a way to do it, although still more intrusive then I would have liked.  Basically I tore down and rebuilt the tunnel to the data center after I added the new subnets to the object-group, and set a scheduled reload in case I hosed it.  It ended up working.

I figured the risk was acceptable with two solutions working; i.e. If I hosed the new tunnel, the scheduled reload would take, and if it didn't take, the ASA was meant to fail anyway.  ;-)