11-14-2010 04:09 AM
Anyone
I have a scenario of 3 x asa5505, asa1, asa2 and asa3.
asa1 is the central point (server if you like). asa2 has a site to site vpn to asa1and works fine (asa1 and 2 has fixed public ip's)
asa3 however does not have a public IP but is sitting behind another (Xyzel) dsl modem/firewall. I have used EasyVPN on asa3 earlier, and all worked fine. After upgrading asa1 to 8.3(2) the tunnel from asa3 to asa1 never comes back up. All I see in the log (ASDM) on asa1 is the following:
"Date and Time stamp" "source IP" Maximum concurrent IKE negotiations exceeded!
I have re-run the Wizard in ASDM on both asa3 and asa1 (easyvpn wizard on asa3, and remote access wizard on asa1)
Anyone?
br
hkl
11-14-2010 05:57 PM
Hi Kristian,
What is the exact message that you are getting on the ASA? Please post it along with the syslog ID. Also, have you tried rebooting the ASA to see if it helped?
Thanks and regards,
Prapanch
11-14-2010 11:24 PM
praprama wrote:
Hi Kristian,
What is the exact message that you are getting on the ASA? Please post it along with the syslog ID. Also, have you tried rebooting the ASA to see if it helped?
Thanks and regards,
Prapanch
lity
Severity
Message
Time
Hello, and thanks for your responce.
Yes I tried a restart, no difference. Here is a copy of the syslog msg.
br
Kristian
asa-3-713191 local4
error
nov 15 2010 08:02:38: %%asa-3-713191: ip = 88.90.17.178, maximum concurrent ike negotiations exceeded!
15 Nov 2010, 08:02:4
11-15-2010 06:52 AM
please attach the show tech if possible, i am particularly interested in the memory, cpu and the blocks
you can just paste the output of
show mem
show cpu
show blocks
11-15-2010 07:23 AM
jathaval wrote:
please attach the show tech if possible, i am particularly interested in the memory, cpu and the blocks
you can just paste the output of
show mem
show cpu
show blocks
Hello
Attached a file with the requested info. This is from asa1. Cannot access asa3 until the vpn is there
br
Kristian
11-15-2010 07:09 AM
Hi Kristian,
Please post the outputs of "show cry isa sa" and "show cry isa stats". It seems like an IKE resource exhauistion:
http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html
It looks seimilar to http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml#@ID but the version you are running should ideally have the fix.
I would suggest you to open up a TAC case to investigate further and collect all necessary information.
Regards,
Prapanch
11-15-2010 07:28 AM
praprama wrote:
Hi Kristian,
Please post the outputs of "show cry isa sa" and "show cry isa stats". It seems like an IKE resource exhauistion:
http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html
It looks seimilar to http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml#@ID but the version you are running should ideally have the fix.
I would suggest you to open up a TAC case to investigate further and collect all necessary information.
Regards,
Prapanch
Hello
Attached a rtf file with the requested info. I will investigate your links, and conntact TAC if this is not only due to my lack of competence.
hkl
11-15-2010 07:51 AM
Hi Kristian,
Could you also get the output of "debug menu ike 28 1"?
Regards,
Prapanch
11-15-2010 08:41 AM
praprama wrote:
Hi Kristian,
Could you also get the output of "debug menu ike 28 1"?
Regards,
Prapanch
Hello Prapanch
Here is the requested outpu:
anubis# deb menu ike 28 1
IKE simultaneous P1 negotiations Stats:
current negotiation count = 50
device current limit = 50 (device default)
device default limit = 50
highwater negotiation count = 50
anubis#
11-15-2010 08:51 AM
Hi,
So the reason why you are getting that log is because we are past the maximum of IKE negotiations the device can handle by default.
Now, the reason for the failure seems to be "Auth Fails" from the output of "show cry isa stats" as the counter for that is large.
I think the best option is to open up a TAC case to investigate further. But please do let me know the results of it. I will be interested in the resolution.
Regards,
Prapanch
01-20-2011 02:05 PM
Was there any resolution to this issue? I just upgraded to 8.3 and I'm having a similar issue with the easy vpn not connecting.
01-26-2011 12:52 AM
To all who helped out here, sorry for the long silence.
I ended up, resetting the ASA to factory default (which was a struggle in it self for some reason) and rebuilding the config step by step.
Works fine now. I'll be glad to forward my configs to anyone who could need them.
hkl
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide