11-08-2010 07:56 AM
Ok a little background on my setup. We have users that connect from outside to our ASA. There are 2 groups of users. The first group needs a valid cert the second does not. Everything was working fine up until 11/3.
Our asa's identity certificate expired on 11/3 so none of the remote users that required the cert could connect. I renewed that cert today and installed but now I get the DEL_REASON_PEER_NOT_RESPONDING.
I will include logs from the VPN client and from the ASA. The users who do not require the cert connect fine and I tried them from the same remote connection so it points me to the cert but I am not sure how that correlates to the DEL_REASON_PEER_NOT_RESPONDING. Everything I have read thus far point to the ASA not getting its response back to the VPN client but it works fine with the other users.
Any help is greatly appreciated.
Thanks,
Jason
11-08-2010 10:41 AM
Hi Jason,
I am not sure why it only happened after cert renewal on ASA. But from the log, it looks like the client sent the cert in fragmented packets but ASA might not receive all of them.
Can you do the following
- packet capture on both side to see if the fragmented packet was dropped
- debug cry ipsec 255 and deb cry isa 255 (there is a lot output, please don't run them during the peak hours)
- show frag
Basically, let's find out if the issue was caused by the drop of fragmented packets. If yes, we need find out where it is dropped and why.
11-08-2010 12:56 PM
I dont think that is the issue as I can connect on the same connection when I dont need the Certificate.
11-08-2010 01:08 PM
It looks like I did not explain my point well.
When client sent the certificate to ASA, it was sent in mulitple packets (fragmentation). It looks like not all fragmented packets reached to ASA.
Sometimes, certificate packet could be big and has to be fragmented in order to send it.
When you don't use certificate, you won't see this issue. That's why it works well without using certificate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide