VPN traffic interruption on ASA5540 Running 8.3 code
Intermittently, L2L VPNs traversing a particular interface on my ASA 5540 get torn down and are not able to complete phase 1. These tunnels run for weeks with the exact config in the ASA, and then randomly stop passing traffic. Importantly, this affects only VPN related traffic. Additionally, we run SSL VPN through the same interface on the ASA and that stops allowing incoming connections as well. I also have L2L VPN tunnels built up to other interfaces on the ASA and they are not affected.
My ASAs are running in active/standby and I can force a failover to whatever unit is acting as the standby, and the issue is immediately cleared with no other intervention. Recently, this issue presented and I noticed that my dynamic ARP table had multiple erroneous interfaces bound to the MAC address of the interface that has issues with VPN traffic. Instead of performing a failover event, I cleared the dynamic arp entries and the issue was immediately resolved. I can only assume that the HA failover process also forces an arp cache clear, which explains why that resolved the issue previously.
I have had the same hardware running the same code for quite some time and this issue only recently cropped up. There were no config changes made to the ASA for some time prior to the first manifestation of the issue.
I have debug logging enabled and am send this info to a syslog server. I captured output from some of these events but haven’t been able to make heads or tails of it.
Join us live on Tuesday, July 14 (and on demand after) to learn what impacts COVID-19 has had on the information security landscape from one of the people living that fight.
We'll take your questions live during the show and after, so post them belo...
TETRA Error Codes - Windows
Here are some common TETRA Error codes that you may find displayed in the dashboard as well as within the C:\Program Files\Cisco\AMP\<your_version>\sfc.exe.log or corresponding sfc.exe_<date>_<time>.logs. The...
Please note that the minimum cryptography settings in AnyConnect 4.9 have been increased. Please ensure that your head-end is properly configured for the more stringent cryptography settings (if applicable) or users will be unable to connect after updatin...
In this guide will we be taking a look at how to configure the web.config file using the URL Rewrite tool when deploying the TETRA update server. This guide is meant as a companion to the existing guides and to help fill in some in...