cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30918
Views
0
Helpful
11
Replies

Cisco Remote VPN Client - error 433

goblock99
Level 1
Level 1

Hi,

 

Every morning remote VPN Clients are getting the 433 error 

 

"Secure VPN connection terminated by Peer. Reason 433 (Reason not specified by peer)"

 

> using client  5.0.07.0290 and ASA5510 HA pair running 8.4(2).

 

on this ASA there are site2site VPN that are running fine, only the remote vpn clients get impacted.

 

after forcing failover back and forth its working again, but problem will return....

 

this link has some suggestions

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

 

during the failure the extended authentication works;

 

ASA01/sec/act# test aaa-server authentication apac username cisco123
Server IP Address or name: 10.x.x.x
Password: *************
INFO: Attempting Authentication test to IP address <10.x.x.x> (timeout: 12 seconds)
INFO: Authentication Successful
ASA01/sec/act

 

any suggestion to find stability in this?

 

 

 

1 Accepted Solution

Accepted Solutions

Hello @goblock99

 

This can be a COSMETIC Bug since the output shown is not permitting the connection on the ASA and once you crear it, everything work fine. 

 

Normally, those types of Bugs don´t affect connection but in your case it is, I found this one that is related but I didn´t find anything with your particular concern: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtx99034

 

You have 2 options, change the version of the ASA to 9.1.7 and verify if this fixes the issue or open a case with Cisco TAC in order to verify further this concern and probably open a new Bug for this :)

 

HTH

Gio

View solution in original post

11 Replies 11

GioGonza
Level 4
Level 4

Hello @goblock99

 

It can be something with the authentication but also with the VPN itself, can you share the output for "debug crypto ikev1/isakmp" "debug crypto ipsec" " debug aaa" "debug aaa common"?

 

With this we are going to see what is happening with the connection. 

 

HTH

Gio

Its all good now and working... When remote vpn client stall again with error 433, I'll follow up on your suggestion.



Thanks!


Running IKEv1 debug during fault condition im seeing this

 

Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, processing VID payload
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, Received Cisco Unity client VID
Oct 24 15:19:57 [IKEv1]Group = VPN-GROUP, IP = 213.127.37.209, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Oct 24 15:19:57 [IKEv1]Group = VPN-GROUP, IP = 213.127.37.209, Floating NAT-T from 213.127.37.209 port 7801 to 213.127.37.209 port 7874

Oct 24 15:19:57 [IKEv1]IP = 213.127.37.209, Tunnel Rejected: The maximum tunnel count allowed has been reached

Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, IKE AM Responder FSM error history (struct &0xadce46d8) <state>, <event>: AM_DONE, EV_ERROR-->AM_PROC_MSG3, EV_IS_REKEYED_H-->AM_PROC_MSG3, EV_IS_REKEYED-->AM_PROC_MSG3, EV_TEST_CERT-->AM_PROC_MSG3, EV_BLOCK_V2-->AM_PROC_MSG3, EV_CHECK_NAT_T-->AM_PROC_MSG3, EV_AUTH_PSK-->AM_PROC_MSG3, EV_PROCESS_MSG
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, IKE SA AM:5de3362e terminating: flags 0x0105c001, refcnt 0, tuncnt 0
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, sending delete/delete with reason message
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, constructing blank hash payload
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, constructing IKE delete payload
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, constructing qm hash payload
Oct 24 15:19:57 [IKEv1]IP = 213.127.37.209, IKE_DECODE SENDING Message (msgid=3bff4d7d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Oct 24 15:19:57 [IKEv1 DECODE]IP = 65.254.223.78, IKE Responder starting QM: msg id = 32acec56

 

this entry is interesting

 

Oct 24 15:19:57 [IKEv1]IP = 213.127.37.209, Tunnel Rejected: The maximum tunnel count allowed has been reached

 

The issue seems related to max VPN peers being exceeded in a context FW but this particular ASA is runnnig single mode.....

 

Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual

/pri/act# sh mode
Security context mode: single

 

/pri/act# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: folink Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 9.0(4), Mate 9.0(4)
Last Failover at: 14:54:17 xxx Oct 23 2017
This host: Primary - Active
Active time: 88551 (sec)
slot 0: ASA5510 hw/sw rev (2.0/9.0(4)) status (Up Sys)
Interface outside (1.1.1.1): Normal (Monitored)
Interface inside (10.210.0.1): Normal (Monitored)
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 242436 (sec)
slot 0: ASA5510 hw/sw rev (2.0/9.0(4)) status (Up Sys)
Interface outside (1.1.1.2): Normal (Monitored)
Interface inside (10.210.0.2): Normal (Monitored)
slot 1: empty

 

Im using Cisco RA VPN Client 5.0.07.0290

 

Any idea?

 

Oct 24 2017 15:38:43: %ASA-4-751019: Local:1.1.1.1:500 Remote:40.84.53.181:500 Username:Unknown Failed to obtain an Other VPN license. Maximum license limit 250 exceeded.
Oct 24 2017 15:38:51: %ASA-4-751019: Local:1.1.1.1:500 Remote:40.84.53.181:500 Username:Unknown Failed to obtain an Other VPN license. Maximum license limit 250 exceeded.
Oct 24 2017 15:46:16: %ASA-4-751019: Local:1.1.1.1:500 Remote:40.84.53.181:500 Username:Unknown Failed to obtain an Other VPN license. Maximum license limit 250 exceeded.
Oct 24 2017 15:46:49: %ASA-4-751019: Local:1.1.1.1:500 Remote:40.84.53.181:500 Username:Unknown Failed to obtain an Other VPN license. Maximum license limit 250 exceeded.

 

 

/pri/act# sh vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
Status : Capacity : Installed : Limit
-----------------------------------------
AnyConnect Premium : ENABLED : 250 : 20 : NONE
AnyConnect Essentials : DISABLED : 250 : 0 : NONE
Other VPN (Available by Default) : ENABLED : 250 : 250 : NONE
Shared License Server : DISABLED
Shared License Participant : DISABLED
AnyConnect for Mobile : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : DISABLED(Requires Premium)
AnyConnect for Cisco VPN Phone : DISABLED
VPN-3DES-AES : ENABLED
VPN-DES : ENABLED
---------------------------------------------------------------------------

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
Local : Shared : All : Peak : Eff. :
In Use : In Use : In Use : In Use : Limit : Usage
----------------------------------------------------
AnyConnect Premium : 0 : 0 : 0 : 0 : 20 : 0%
AnyConnect Client : : 0 : 0 : 0%
AnyConnect Mobile : : 0 : 0 : 0%
Clientless VPN : : 0 : 0 : 0%
Other VPN : : 250 : 250 : 250 : 100%
Cisco VPN Client/ : : 0 : 2 : 0%
L2TP Clients
Site-to-Site VPN : : 10 : 12 : 4%
---------------------------------------------------------------------------

 

why does it say all 250 VPN are in use?

 


Current IPSec SA's: Peak IPSec SA's:
IPSec : 76 Peak Concurrent SA : 134
IPSec over UDP : 0 Peak Concurrent L2L : 132
IPSec over NAT-T : 22 Peak Concurrent RA : 4
IPSec over TCP : 0
IPSec VPN LB : 0
Total : 98 <<<<<<<<<<

Does anyone know what 'the other VPN' refers to?

 

Other VPN : : 250 : 250 : 250 : 100%

 

i found that the vpn-sessiondb stats can only the cleared through a reload, its all good now ;)

 

the problem has re-occured after a few days. its same symptons, cisco ra vpn client receive 433 error and vpn license is 100% in use;

 

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
Local : Shared : All : Peak : Eff. :
In Use : In Use : In Use : In Use : Limit : Usage
----------------------------------------------------
AnyConnect Premium : 0 : 0 : 0 : 0 : 20 : 0%
AnyConnect Client : : 0 : 0 : 0%
AnyConnect Mobile : : 0 : 0 : 0%
Clientless VPN : : 0 : 0 : 0%
Other VPN : : 250 : 250 : 250 : 100%
Cisco VPN Client/ : : 0 : 3 : 0%
L2TP Clients
Site-to-Site VPN : : 8 : 11 : 3%
---------------------------------------------------------------------------

MYKUAASA01/pri/act#

 

this in fact has no effect;

pri/act(config)# clear vpn-sessiondb statistics all
INFO: Number of sessions cleared : 250 

 

other stats

pri/act# sh vpn-sessiondb summar
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
IKEv1 IPsec/L2TP IPsec : 0 : 15 : 3
Site-to-Site VPN : 8 : 77 : 11
IKEv2 IPsec : 1 : 13 : 3
IKEv1 IPsec : 7 : 64 : 9
---------------------------------------------------------------------------
Total Active and Inactive : 8 Total Cumulative : 92
Device Total VPN Capacity : 250
Device Load : 3%
---------------------------------------------------------------------------

MYKUAASA01/pri/act#

 

 

so, anyone? why is it "retaining" an incorrect cumulative  number of VPN sessions? Im running 9.0(4) now.

Hello @goblock99

 

This can be a COSMETIC Bug since the output shown is not permitting the connection on the ASA and once you crear it, everything work fine. 

 

Normally, those types of Bugs don´t affect connection but in your case it is, I found this one that is related but I didn´t find anything with your particular concern: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtx99034

 

You have 2 options, change the version of the ASA to 9.1.7 and verify if this fixes the issue or open a case with Cisco TAC in order to verify further this concern and probably open a new Bug for this :)

 

HTH

Gio

Same thoughts here, i already obtain 9.1.7 and will upgrade asap..... will keep u updated

carotek
Level 1
Level 1

For my 433 issue, I looked at the syslogs of the PIX515 and found that my user was using the wrong user name. We had instituted a password change the week before and she got confused about what her username was and which password to use.

When she used the correct info, she was in like Flynn.

Thanks,