Solved: Cisco Remote VPN Client - error 433

goblock99 · ‎10-12-2017

Hi,

Every morning remote VPN Clients are getting the 433 error

"Secure VPN connection terminated by Peer. Reason 433 (Reason not specified by peer)"

> using client 5.0.07.0290 and ASA5510 HA pair running 8.4(2).

on this ASA there are site2site VPN that are running fine, only the remote vpn clients get impacted.

after forcing failover back and forth its working again, but problem will return....

this link has some suggestions

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

during the failure the extended authentication works;

ASA01/sec/act# test aaa-server authentication apac username cisco123
Server IP Address or name: 10.x.x.x
Password: *************
INFO: Attempting Authentication test to IP address <10.x.x.x> (timeout: 12 seconds)
INFO: Authentication Successful
ASA01/sec/act

any suggestion to find stability in this?

GioGonza · ‎10-27-2017

Hello @goblock99,

This can be a COSMETIC Bug since the output shown is not permitting the connection on the ASA and once you crear it, everything work fine.

Normally, those types of Bugs don´t affect connection but in your case it is, I found this one that is related but I didn´t find anything with your particular concern: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtx99034

You have 2 options, change the version of the ASA to 9.1.7 and verify if this fixes the issue or open a case with Cisco TAC in order to verify further this concern and probably open a new Bug for this :)

HTH

Gio

View solution in original post

GioGonza · ‎10-12-2017

Hello @goblock99,

It can be something with the authentication but also with the VPN itself, can you share the output for "debug crypto ikev1/isakmp" "debug crypto ipsec" " debug aaa" "debug aaa common"?

With this we are going to see what is happening with the connection.

HTH

Gio

goblock99 · ‎10-12-2017

Its all good now and working... When remote vpn client stall again with error 433, I'll follow up on your suggestion.

Thanks!

goblock99 · ‎10-24-2017

Running IKEv1 debug during fault condition im seeing this

Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, processing VID payload
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, Received Cisco Unity client VID
Oct 24 15:19:57 [IKEv1]Group = VPN-GROUP, IP = 213.127.37.209, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Oct 24 15:19:57 [IKEv1]Group = VPN-GROUP, IP = 213.127.37.209, Floating NAT-T from 213.127.37.209 port 7801 to 213.127.37.209 port 7874

Oct 24 15:19:57 [IKEv1]IP = 213.127.37.209, Tunnel Rejected: The maximum tunnel count allowed has been reached

Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, IKE AM Responder FSM error history (struct &0xadce46d8) <state>, <event>: AM_DONE, EV_ERROR-->AM_PROC_MSG3, EV_IS_REKEYED_H-->AM_PROC_MSG3, EV_IS_REKEYED-->AM_PROC_MSG3, EV_TEST_CERT-->AM_PROC_MSG3, EV_BLOCK_V2-->AM_PROC_MSG3, EV_CHECK_NAT_T-->AM_PROC_MSG3, EV_AUTH_PSK-->AM_PROC_MSG3, EV_PROCESS_MSG
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, IKE SA AM:5de3362e terminating: flags 0x0105c001, refcnt 0, tuncnt 0
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, sending delete/delete with reason message
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, constructing blank hash payload
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, constructing IKE delete payload
Oct 24 15:19:57 [IKEv1 DEBUG]Group = VPN-GROUP, IP = 213.127.37.209, constructing qm hash payload
Oct 24 15:19:57 [IKEv1]IP = 213.127.37.209, IKE_DECODE SENDING Message (msgid=3bff4d7d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Oct 24 15:19:57 [IKEv1 DECODE]IP = 65.254.223.78, IKE Responder starting QM: msg id = 32acec56

this entry is interesting

Oct 24 15:19:57 [IKEv1]IP = 213.127.37.209, Tunnel Rejected: The maximum tunnel count allowed has been reached

The issue seems related to max VPN peers being exceeded in a context FW but this particular ASA is runnnig single mode.....

Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual

/pri/act# sh mode
Security context mode: single

/pri/act# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: folink Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 9.0(4), Mate 9.0(4)
Last Failover at: 14:54:17 xxx Oct 23 2017
This host: Primary - Active
Active time: 88551 (sec)
slot 0: ASA5510 hw/sw rev (2.0/9.0(4)) status (Up Sys)
Interface outside (1.1.1.1): Normal (Monitored)
Interface inside (10.210.0.1): Normal (Monitored)
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 242436 (sec)
slot 0: ASA5510 hw/sw rev (2.0/9.0(4)) status (Up Sys)
Interface outside (1.1.1.2): Normal (Monitored)
Interface inside (10.210.0.2): Normal (Monitored)
slot 1: empty

Im using Cisco RA VPN Client 5.0.07.0290

Any idea?

goblock99 · ‎10-24-2017

Oct 24 2017 15:38:43: %ASA-4-751019: Local:1.1.1.1:500 Remote:40.84.53.181:500 Username:Unknown Failed to obtain an Other VPN license. Maximum license limit 250 exceeded.
Oct 24 2017 15:38:51: %ASA-4-751019: Local:1.1.1.1:500 Remote:40.84.53.181:500 Username:Unknown Failed to obtain an Other VPN license. Maximum license limit 250 exceeded.
Oct 24 2017 15:46:16: %ASA-4-751019: Local:1.1.1.1:500 Remote:40.84.53.181:500 Username:Unknown Failed to obtain an Other VPN license. Maximum license limit 250 exceeded.
Oct 24 2017 15:46:49: %ASA-4-751019: Local:1.1.1.1:500 Remote:40.84.53.181:500 Username:Unknown Failed to obtain an Other VPN license. Maximum license limit 250 exceeded.

goblock99 · ‎10-24-2017

/pri/act# sh vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
Status : Capacity : Installed : Limit
-----------------------------------------
AnyConnect Premium : ENABLED : 250 : 20 : NONE
AnyConnect Essentials : DISABLED : 250 : 0 : NONE
Other VPN (Available by Default) : ENABLED : 250 : 250 : NONE
Shared License Server : DISABLED
Shared License Participant : DISABLED
AnyConnect for Mobile : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : DISABLED(Requires Premium)
AnyConnect for Cisco VPN Phone : DISABLED
VPN-3DES-AES : ENABLED
VPN-DES : ENABLED
---------------------------------------------------------------------------

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
Local : Shared : All : Peak : Eff. :
In Use : In Use : In Use : In Use : Limit : Usage
----------------------------------------------------
AnyConnect Premium : 0 : 0 : 0 : 0 : 20 : 0%
AnyConnect Client : : 0 : 0 : 0%
AnyConnect Mobile : : 0 : 0 : 0%
Clientless VPN : : 0 : 0 : 0%
Other VPN : : 250 : 250 : 250 : 100%
Cisco VPN Client/ : : 0 : 2 : 0%
L2TP Clients
Site-to-Site VPN : : 10 : 12 : 4%
---------------------------------------------------------------------------

why does it say all 250 VPN are in use?

Current IPSec SA's: Peak IPSec SA's:
IPSec : 76 Peak Concurrent SA : 134
IPSec over UDP : 0 Peak Concurrent L2L : 132
IPSec over NAT-T : 22 Peak Concurrent RA : 4
IPSec over TCP : 0
IPSec VPN LB : 0
Total : 98 <<<<<<<<<<

goblock99 · ‎10-24-2017

Does anyone know what 'the other VPN' refers to?

Other VPN : : 250 : 250 : 250 : 100%

goblock99 · ‎10-24-2017

i found that the vpn-sessiondb stats can only the cleared through a reload, its all good now ;)

goblock99 · ‎10-27-2017

the problem has re-occured after a few days. its same symptons, cisco ra vpn client receive 433 error and vpn license is 100% in use;

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
Local : Shared : All : Peak : Eff. :
In Use : In Use : In Use : In Use : Limit : Usage
----------------------------------------------------
AnyConnect Premium : 0 : 0 : 0 : 0 : 20 : 0%
AnyConnect Client : : 0 : 0 : 0%
AnyConnect Mobile : : 0 : 0 : 0%
Clientless VPN : : 0 : 0 : 0%
Other VPN : : 250 : 250 : 250 : 100%
Cisco VPN Client/ : : 0 : 3 : 0%
L2TP Clients
Site-to-Site VPN : : 8 : 11 : 3%
---------------------------------------------------------------------------

MYKUAASA01/pri/act#

this in fact has no effect;

pri/act(config)# clear vpn-sessiondb statistics all
INFO: Number of sessions cleared : 250

other stats

pri/act# sh vpn-sessiondb summar
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
IKEv1 IPsec/L2TP IPsec : 0 : 15 : 3
Site-to-Site VPN : 8 : 77 : 11
IKEv2 IPsec : 1 : 13 : 3
IKEv1 IPsec : 7 : 64 : 9
---------------------------------------------------------------------------
Total Active and Inactive : 8 Total Cumulative : 92
Device Total VPN Capacity : 250
Device Load : 3%
---------------------------------------------------------------------------

MYKUAASA01/pri/act#

so, anyone? why is it "retaining" an incorrect cumulative number of VPN sessions? Im running 9.0(4) now.

GioGonza · ‎10-27-2017

Hello @goblock99,

This can be a COSMETIC Bug since the output shown is not permitting the connection on the ASA and once you crear it, everything work fine.

Normally, those types of Bugs don´t affect connection but in your case it is, I found this one that is related but I didn´t find anything with your particular concern: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtx99034

You have 2 options, change the version of the ASA to 9.1.7 and verify if this fixes the issue or open a case with Cisco TAC in order to verify further this concern and probably open a new Bug for this :)

HTH

Gio

goblock99 · ‎10-28-2017

Same thoughts here, i already obtain 9.1.7 and will upgrade asap..... will keep u updated

carotek · ‎03-24-2020

For my 433 issue, I looked at the syslogs of the PIX515 and found that my user was using the wrong user name. We had instituted a password change the week before and she got confused about what her username was and which password to use.

When she used the correct info, she was in like Flynn.

Thanks,