Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1698
Views
0
Helpful
7
Replies

ASA5520 HA failover - IPSEC VPN stops working on standby - ESP Failed Authentication

garybrophy
Level 1
Level 1

‎12-08-2017 01:43 AM - edited ‎03-12-2019 04:48 AM

Hi All,

any recommendations welcome!

I have Failover pair of 5520 in active/standby. Everything works fine on the active firewall but when it fails over to the standby Firewall one particular VPN stops working.

the following error constantly appears on the other side

 

IPSEC:Recieved an ESP packet (SPI=0x56869431, sequence number= 0x2FAF1CD) from x.x.x.x (user = x.x.x.x) to x.x.x.x that failed authentication

 

While on the Standby I have cleared the IPSEC and ISAKMP connection and I can see Phase 1 and Phase 2 establish but straight after that the above error appears and no traffic passes.

I have rebooted the Firewalls individually and together to clear the cluster but same thing.

I have upgraded the firewalls to version asa9.17-19-k8.bin but same issue.

I am thinking of taking the cables from the Active unit putting them in the Standby unit to see if it works then to rule out a possible hardware issue on the Standby.

 

Anyone seen this behavior before and have suggestions before I try that?

 

Thanks

Gary

 

Labels:
0 Helpful
7 Replies 7

Mohammed al Baqari
Level 11
Level 11

‎12-09-2017 01:37 AM

On ASA use show failover command check if it cold standby or hot standby. Your config might not be synched.
0 Helpful

garybrophy
Level 1
Level 1
In response to Mohammed al Baqari

‎12-12-2017 01:56 AM

Hi Mohammad,

 

not sure of the terminology hot and cold but the failover config is synced. Show failover shows standby as standby ready.

 

I did a moresystem running config on both when active to double check the config and they match exactly.

 

Regards

Gary

0 Helpful

GioGonza
Level 4
Level 4

‎12-12-2017 06:09 AM

Hello @garybrophy

 

Based on your log, this is related to this concern. Normally, this is related to attacks or packets corrupted received by the ASA, when the ASA receives this it drops the packets and you will have problems with the communication. 

 

A workaround for this is to change the Anti-Replay feature on the ASA, you can disable it or increase the value for that particular feature, this is the link for reference. 

 

The command should be "crypto ipsec security-association replay window-size 1024", after this test the connection and verify everything is working fine and the log dissapeared. 

 

HTH

Gio

 

0 Helpful

garybrophy
Level 1
Level 1
In response to GioGonza

‎12-12-2017 06:58 AM

Thanks for the suggestion Gio,

 

Ill give it a shot later this evening to see if it works for me and let you know.

 

Do you know if it is possible on the ASA to just change the setting for one VPN rather than doing it globally?

Looks like its possible to do individual ones for the routers but not for the ASA

 

Thanks

Gary

0 Helpful

GioGonza
Level 4
Level 4
In response to garybrophy

‎12-12-2017 07:04 AM

Hello @garybrophy

 

Unfortunately no, the ASA has that feature enabled on the global configuration, there is no way you can change it for specific VPN tunnels.

 

Gio

0 Helpful

garybrophy
Level 1
Level 1
In response to GioGonza

‎12-12-2017 07:06 AM

Thanks Gio,

 

Ill give it a shot later.

Thanks

Gary

0 Helpful

garybrophy
Level 1
Level 1
In response to garybrophy

‎12-12-2017 10:11 AM

cheers for the idea but didn't work

 

tried setting it to 1024 and disabled it also but same issue occurred.

 

looks like I'm going to have to go to site for this one to rule out a hardware issue

 

Regards

Gary

0 Helpful
Customers Also Viewed These Support Documents