cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3982
Views
0
Helpful
5
Replies
wushikun00008
Beginner

ASA 5505 SSL VPN LOG failed

%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.

%ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.

%ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293

%ASA-6-113012: AAA user authentication Successful : local database : user = admin

%ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin

%ASA-6-113008: AAA transaction status ACCEPT : user = admin

%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy

%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin

%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile

%ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy

%ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
%ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.

%ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)

%ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)

%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.

%ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.

%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.

%ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.

Red error what is the reason? Only appears in the window 2003 server.

5 REPLIES 5
Karsten Iwen
VIP Mentor

You probably have this in your config:

group-policy SSLCLientPolicy attributes

  vpn-simultaneous-logins 2

And the two allowed simultaneous logins are reached. Either use a different username or increase this limit.

EDIT:

I just see in your config thta the above is *not* the reason! You don't have a license to use more then two SSL-sessions. For that you need the AnyConnect Premium or the AnyConnect Essentials license. Both is not applied to the ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

thanks   !!!

but......

Fault: the old way

Logging: the old way

 

ciscoasa# show   activation-key 
Serial Number:  JMX1314Z1UV
Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6

Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 10       
Failover                       : Disabled
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 10       
Dual ISPs                      : Disabled 
VLAN Trunk Ports               : 0        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled 
AnyConnect for Cisco VPN Phone : Disabled 
AnyConnect Essentials          : Disabled 
Advanced Endpoint Assessment   : Disabled 
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled 

This platform has a Base license.

The flash activation key is the SAME as the running key.
ciscoasa#

Sure ?it was licence question?

Hello Shikun,

Here is the thing that Karsten is telling you:

SSL VPN Peers                  : 2        

This means that there can be only to SSL sessions to your ASA, until one of them get's closed you could innitiate a new session.

You can disconnect all the sessions and give it a try to see it working.

Command to check how many SSL sessions exist to our ASA:

sh vpn-sessiondb webvpn

Command to clear the current SSL session on our ASA:

vpn-sessiondb logoff webvpn

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Command to check how many SSL sessions exist to our ASA:

sh vpn-sessiondb webvpn

ciscoasa# show vpn-sessiondb webvpn 
INFO: There are presently no active sessions

ciscoasa# show ssl 

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: aes128-sha1

Disabled ciphers: 3des-sha1 des-sha1 rc4-md5 rc4-sha1 aes256-sha1 null-sha1

No SSL trust-points configured

Certificate authentication is not enabled

The use of aes128-sha1 win2003server even web interface are not open!

Create
Recognize Your Peers
Content for Community-Ad