cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1799
Views
0
Helpful
2
Replies

Clients unable connect through IPSec VPN

Martin Jaburek
Level 1
Level 1

Hello,

I have a weird problem with clients connectivity through IPSec. I have setup an ASA5520(8.3(2)) as a VPN concentrator. The DHCP is served from windows machine.

From time to time it happens, that no one can connect - immediately they get 433 Error message, but there are also no logs on ASA.

I found out that when it happens there is problem with DHCP - ASA holds dynamic allocated IP address in IPSec SA, but on DHCP there is no record for that IP address. So every new client get this IP address and as soon as client uses it, the ASA will disconnect it, because this address is already in use. To fix this issue I have to either clear SA for this dynamic address or remove this dynamic address from DHCP server.

The DHCP lease time is longer than IPSec SA lifetime. So there should not be problem with idle clients (disconnected without proper logout)

The other thing is I can see that show ipsec sa displays:

Crypto map tag: Gdynmap, seq num: 20, local addr: 10.233.129.201

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.233.222.57/255.255.255.255/0/0)

      current_peer: 212.1.1.1, username: tesext

      dynamic allocated peer ip: 10.233.222.60

Which is quite strange, because otherwise there is always the remote ident the same as dynamic allocated peer ip! In this case the problematic IP is .57(DHCP entry is missing)

At the same time there is also another correct SA (same remote ident as a dynamic allocated peer ip):

Crypto map tag: Gdynmap, seq num: 20, local addr: 10.233.129.201

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.233.222.60/255.255.255.255/0/0)

      current_peer: 212.1.1.1, username: tesext

      dynamic allocated peer ip: 10.233.222.60

Can anyone explain to me what can be done to prevent it?

2 Replies 2

skingry
Level 1
Level 1

Martin,

I was having the same problem, though with a different DHCP server.  I finally had to revert to pools in the ASA. 

Shane

Atri Basu
Cisco Employee
Cisco Employee

Martin, bug #CSCts45189 has been filed for this issue. Unfortunately we haven't been able to reproduce this problem in the lab and due to the impact this has had on customer environments, most people who run into this problem move to using DHCP pools or some other form of address assignment(as Shane indicated). If you haven't done so and you are willing to help us troubleshoot this problem then we will be quite grateful. In that case when you next run into this issue, please open a TAC case right away with the following debugs:

1)  logging class ipaa trap 6

2)  debug dhcpc error

3)  debug dhcpc detail

4)  debug dhcpc packet

5)  debug dhcpd event 255

6)  debug dhcpd packet 255

6)  When it's failing, check the loggin database to see whether that ip addr is in use :

  show vpn-sessiondb anyconnect filter a-ipaddress

7)   asp captures on ASA interface that the DHCP server(s) attached to.

8)   packet capture on the DHCP server(s)

Also what kind of DHCP server are you using:

1) MS server or Alcatel-Lucent QIP DHCP server?

2) multiple DHCP servers as failover pair?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: