Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
977
Views
0
Helpful
3
Replies

EZVPN connection failing with error "Split tunnel attributes greater than max ..."

Go to solution
israr.ahmad
Level 1
Level 1

‎07-22-2012 02:54 AM

Hi,

We have ASA 5520 acting as the VPN Server and Cisco 1941 router as EZVPN client. Since last few days client is not able to establish vpn connection. 1941 router is continuously generating the below log messages

---------------

001569: Jul 22 12:19:05.883 ABC: %CRYPTO-4-EZVPN_SA_LIMIT: EZVPN(VPNGROUP) Split tunnel attributes(51) greater than max allowed split attributes(50)

001574: Jul 22 12:19:07.835 ABC: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=vpn_user  Group=VPNGROUP Client_public_addr=<client public ip>  Server_public_addr=<server public ip>

004943: Jul 22 11:32:42.247 ABC: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16

---------------

Looking forward for experts suggestion and help

Thanks,

Israr Ahmad

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-22-2012 03:52 AM

Yes, your split tunnel access-list is too large, and it has reached the maximum allowed number of line.

Try to reduce the number of ACL for your split tunnel ACL maybe by combining the subnets if possible.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-22-2012 03:52 AM

Yes, your split tunnel access-list is too large, and it has reached the maximum allowed number of line.

Try to reduce the number of ACL for your split tunnel ACL maybe by combining the subnets if possible.

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Jennifer Halim

‎07-22-2012 04:53 AM 

Error Message    %CRYPTO-4-EZVPN_SA_LIMIT: [chars]

Explanation    The maximum number of EZVPN tunnels that can be set up on the platform has been  reached. Active SAs will not be terminated, but additional SAs can not be established until the  number of existing SAs decreases.

So you have make SA's to get reduced.

Please do rate if the given information helps.

By

Karthik

0 Helpful

Go to solution
israr.ahmad
Level 1
Level 1
In response to Jennifer Halim

‎07-22-2012 10:15 PM

Thanks Jennifer, That was spot on ... So in brief split tunnel access list can have only 50 entries.

--------

Thanks

Israr Ahmad

0 Helpful
Customers Also Viewed These Support Documents