cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8007
Views
0
Helpful
3
Replies

Getting DEL_REASON_PEER_NOT_RESPONDING

Jason Young
Level 1
Level 1

Ok a little background on my setup.  We have users that connect from outside to our ASA.  There are 2 groups of users.   The first group needs a valid cert the second does not.  Everything was working fine up until 11/3. 

Our asa's identity certificate expired on 11/3 so none of the remote users that required the cert could connect.  I renewed that cert today and installed but now I get the DEL_REASON_PEER_NOT_RESPONDING. 

I will include logs from the VPN client and from the ASA.  The users who do not require the cert connect fine and I tried them from the same remote connection so it points me to the cert but I am not sure how that correlates to the DEL_REASON_PEER_NOT_RESPONDING.  Everything I have read thus far point to the ASA not getting its response back to the VPN client but it works fine with the other users.

Any help is greatly appreciated.

Thanks,
Jason

3 Replies 3

Yudong Wu
Level 7
Level 7

Hi Jason,

I am not sure why it only happened after cert renewal  on ASA. But from the log, it looks like the client sent the cert in  fragmented packets but ASA might not receive all of them.

Can you do the following

- packet capture on both side to see if the fragmented packet was dropped

- debug cry ipsec 255 and deb cry isa 255 (there is a lot output, please don't run them during the peak hours)

- show frag

Basically, let's find out if the issue was caused by the drop of fragmented packets. If yes, we need find out where it is dropped and why.

I dont think that is the issue as I can connect on the same connection when I dont need the Certificate.

It looks like I did not explain my point well.

When client sent the certificate to ASA, it was sent in mulitple packets (fragmentation). It looks like not all fragmented packets reached to ASA.

Sometimes, certificate packet could be big and has to be fragmented in order to send it.

When you don't use certificate, you won't see this issue. That's why it works well without using certificate.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: