Re: ASA 5505 SSL VPN LOG failed

wushikun00008 · ‎08-31-2012

%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.

%ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.

%ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293

%ASA-6-113012: AAA user authentication Successful : local database : user = admin

%ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin

%ASA-6-113008: AAA transaction status ACCEPT : user = admin

%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy

%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin

%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile

%ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy

%ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
%ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.

%ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)

%ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)

%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.

%ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.

%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.

%ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.

Red error what is the reason? Only appears in the window 2003 server.

Karsten Iwen · ‎09-01-2012

You probably have this in your config:

group-policy SSLCLientPolicy attributes

vpn-simultaneous-logins 2

And the two allowed simultaneous logins are reached. Either use a different username or increase this limit.

EDIT:

I just see in your config thta the above is *not* the reason! You don't have a license to use more then two SSL-sessions. For that you need the AnyConnect Premium or the AnyConnect Essentials license. Both is not applied to the ASA.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

wushikun00008 · ‎09-01-2012

thanks ！！！

but......

Fault: the old way

Logging: the old way

wushikun00008 · ‎09-01-2012

ciscoasa# show activation-key
Serial Number: JMX1314Z1UV
Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 10
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

The flash activation key is the SAME as the running key.
ciscoasa#

Sure ？it was licence question？

Julio Carvajal · ‎09-02-2012

Hello Shikun,

Here is the thing that Karsten is telling you:

SSL VPN Peers : 2

This means that there can be only to SSL sessions to your ASA, until one of them get's closed you could innitiate a new session.

You can disconnect all the sessions and give it a try to see it working.

Command to check how many SSL sessions exist to our ASA:

sh vpn-sessiondb webvpn

Command to clear the current SSL session on our ASA:

vpn-sessiondb logoff webvpn

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

wushikun00008 · ‎09-03-2012

Command to check how many SSL sessions exist to our ASA:

sh vpn-sessiondb webvpn

ciscoasa# show vpn-sessiondb webvpn
INFO: There are presently no active sessions

ciscoasa# show ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: aes128-sha1

Disabled ciphers: 3des-sha1 des-sha1 rc4-md5 rc4-sha1 aes256-sha1 null-sha1

No SSL trust-points configured

Certificate authentication is not enabled

The use of aes128-sha1 win2003server even web interface are not open！