ASA5520 random VPN issue

vs1784001 · ‎03-09-2016

We are using Cisco ASA 5520 since couple of years. We have 2 devices working in failover mode with around 50 remote access VPN connections and 3 site to site VPN connections during work hours.

It works fine but randomly it kicks out all VPN users and stops accepting any VPN request, VPN client throws timeout errors. No errors are logged into syslog as well. Everything starts working normal after a reboot of both devices and some wait period of around 20-25 minutes.

How do i begin to troubleshoot this? I have no idea because there is nothing in logs.

Dinesh Moudgil · ‎03-10-2016

Here is a great write up of most common L2L and Remote Access VPN troubleshooting solutions that you might want to take a look at:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

Coming back to your issue, the way you can start this tshoot is :
* Confirm if it is the issue with L2L VPN or Remote Access VPN.
* Check if the VPN session limit is not crossing threshold using

show vpn-sessiondb summary

* Grab a remote peer/VPN client where you have the issue and debug the session using:
debug crypto condition peer x.x.x.x ............................x.x.x.x being remote peer IP/Client Public IP
debug crypto isakmp sa
debug crypto ipsec sa

* Setup the syslogs to debug level.
* Run captures on client/remote peer and ASA to confirm if the packets are reaching the other sides or not.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

These steps should give you brief info about what exactly is happening to the IPSec sessions and can help you in isolating the issue.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/