VPN Site to Site on ASA 9.6.2: Access hours restrictions in effect

Arturo Bianchi · ‎10-26-2016

Hi,

after an upgrade starting from ASA version 9.6.1 to 9.6.2, on reboot, the site-to-site tunnel does not come back! X_X

During the negotiation passes a message that provides an idea of the reason even if not understandable, as with the previous version was UP without problems:

Group = ip.ip.ip.ip, IP = ip.ip.ip.ip, L2L Authorization Failed - check your group-policy.
AAA unable to complete the request Error : reason = Access hours restrictions in effect : user = ip.ip.ip.ip

Why? I have not set any restrictions, what did this version update? I also tried to remove the tunnels from the configuration, restoring the same as usual but the problem persists!

Does anyone have an idea on what to do?

Thanks,
Arturo.

Massimo Baschieri · ‎10-26-2016

Try performing a "show running all" and look at the group-policy DfltGrpPolicy attributes.

Also look at the tunnel-group DefaultL2LGroup general-attributes and check if it refers to a different group-policy.

Last, check at your specific tunnel-groups and check if they refer to a different group-policy.

Arturo Bianchi · ‎10-27-2016

Hi Massimo,

ASDM does not show me the hourly limitations in L2 tunnel, however, yes there is a limit in DflGrpPolicy (It has always been there); this night I try it this way, let's see if I can leave everything else...

group-policy GroupPolicy_ip.ip.ip.ip attributes
vpn-access-hours none
exit

Meanwhile, thank you for putting me on the right track!

73,

Arturo.

Massimo Baschieri · ‎10-27-2016

Nice to know you are going to solve your problems.

All in all we both belong to the "beautiful country" :-)