Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
0
Replies

ASA 9.9.2 multi-context VPN IKEv2 problem

dholtmann
Level 1
Level 1

‎11-13-2018 04:16 AM

We have setup a Cisco ASA 9.9.2 in multicontext-mode on Firepower 4120 for remote-access-VPN and we are using Cisco Anyconnect as client.
So far we have managed to establish a VPN-connection with SSL as tunneling protocol. But we need IKEv2/IPSec for the VPN-connection.

The releasenotes for ASA 9.9.2 state:
VPN Features
Support for configuring ASA to allow Anyconnect and third party Standards-based IPSec IKEv2 VPN clients to establish Remote Access VPN sessions to ASA operating in multi-context mode.

But we can't get a IKEv2 IPSec connection up and running.

We are seeing this syslog-message:
%ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x18AB21A7) between x.x.x.x and x.x.x.x (user= xxx) has been created.
%ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0xDF9ADA4D) between x.x.x.x and x.x.x.x (user= xxx) has been created.
%ASA-4-113019: Group = xxx, Username = xxx, IP = x.x.x.x, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Internal Error

The first two indicate that a IPSec VPN-connection was established, but the connection is terminated immediately afterwards. I'm assuming that our configuration is correct, because a SSL-VPN connection is working.

Does anyone have the same issue? My current suggestion is that (even though mentioned in the release notes), IKEv2-IPSec VPN isn't supported in multi-context mode.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents