Problem in ASA-4-113019 event message

jtatar · ‎04-26-2013

Has anyone come across this (bug, I believe) in their ASA logs for site-to-site?

Apr 23 16:15:24 iac-jtl-mgmt Apr 23 2013 16:15:43: %ASA-4-113019: Group = <IPSec peer IP>, Username = <IPSec peer IP>, IP = <Unknown IP>, Session disconnected. Session Type: LAN-to-LAN, Duration: Xh:XXm:XXs, Bytes xmt: S, Bytes rcv: X, Reason: User Requested

It appears that the ASA software takes an incorrect memory location for the IP = <peer address field>. I performed packet captures on the outside interface and never saw what I term the "Unknown IP" in the packet captures. I had to shut down the site-to-site VPN until I could demonstrate that I did not form any IPSec SAs with the "Unknown IP".

ROBERTO GIANA · ‎05-13-2013

Just monitored a very similar issue in my ASA v9.1.1 when a user connects using WebVPN. But I don't get an "unknown IP". I get a regular log message with a random IP, which has never ever connected to my ASA.

Definitly a logging bug.

ROBERTO GIANA · ‎05-13-2013

We might hit bug id CSCub72545, titled "ASA 9.0 logs incorrect IPs in 113019 messages"

Symptom: When user gets disconnected ASA prints a log message indicating the IP address of connection. This IP address may be displayed wrong.

Conditions: ASA 9.0.1

Workaround: None.

1st Found-In

8.4(4.4)

9.0(1)

9.1(1.4)

Fixed-In

8.4(5)

9.1(1.8)

8.4(4.6)

100.8(0.234)M

100.7(6.95)M

100.8(11.36)M

100.7(13.98)M

100.7(24.1)M

100.8(33.21)M

100.9(0.1)M

100.9(3.3)M

8.4(4.99)

100.8(39.1)M

8.7(1.2)

100.8(27.19)M

9.0(1.100)

100.8(34.1)M