WebVPN session terminated: Service Unavailable

Tim Grant · ‎10-30-2014

Hi

ASA specs

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(2)

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825_k8.bin"
Config file at boot was "startup-config"

XXXX up 128 days 1 hour
failover cluster up 132 days 18 hours

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1599 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Seeing this issue occur in the afternoons usually. In the mornings WebVPN users are able to login successfully, then we start seeing some fail with the following in the log:

Oct 29 2014 15:02:44: %ASA-6-725003: SSL client outside:X.X.X.X/56221 request to resume previous seion.
Oct 29 2014 15:02:44: %ASA-6-725002: Device completed SSL handshake with client outside:X.X.X.X/562
Oct 29 2014 15:02:44: %ASA-6-725007: SSL session with client outside:X.X.X.X/56221 terminated.
Oct 29 2014 15:02:56: %ASA-6-725001: Starting SSL handshake with client outside:X.X.X.X/56226 for Tv1 session.
Oct 29 2014 15:02:56: %ASA-6-725003: SSL client outside:X.X.X.X/56226 request to resume previous seion.
Oct 29 2014 15:02:56: %ASA-6-725002: Device completed SSL handshake with client outside:X.X.X.X/562
Oct 29 2014 15:02:58: %ASA-6-716001: Group <GroupPolicy_XXXX> User <XXXX> IP <X.X.X.XWebVPN session started.
Oct 29 2014 15:02:58: %ASA-6-716002: Group <GroupPolicy_XXXX> User <XXXX> IP <X.X.X.XWebVPN session terminated: Service Unavailable.

I haven't seen this "Service Unavailable" before. Any ideas? Thanks

Regards

Tim

Richard Burts · ‎10-30-2014

Tim

I have not seen that Service Unavailable before and am not sure but I wonder if it could be that you are getting to the point where you have used all the number of sessions specified in your license and new sessions can not initiate because of the license count?

HTH

Rick

HTH

Rick

Tim Grant · ‎10-30-2014

Hi

Thanks for your response. I don't believe it's a license issue but will try to confirm the license and number of users.

Further troubleshooting has found the following:

ASDM also unavailable, and http ports closed

I am still able to connect to the ASA with SSH

These issues encountered when trying to run some troubleshooting from CLI:

XXX-ASA# show webvpn statistics
ERROR: Memory allocation failed

XXX-ASA# show memory webvpn
ERROR: Memory allocation failed

XXX-ASA(config)# http server enable XXXX
ERROR: Write access to 'config.webvpn.n_interfaces' failed.
unicorn_config_set_interface() failed
ERROR: Write access to 'config.webvpn.n_interfaces' failed.
unicorn_config_set_interface() failed
ERROR: Write access to 'config.webvpn.n_interfaces' failed.
unicorn_config_set_interface() failed
ERROR: Write access to 'config.webvpn.n_interfaces' failed.
unicorn_config_set_interface() failed
ERROR: Write access to 'config.webvpn.n_interfaces' failed.
unicorn_config_set_interface() failed
ERROR: Write access to 'config.webvpn.n_interfaces' failed.
unicorn_config_set_interface() failed

Thanks and regards

Tim

Richard Burts · ‎10-30-2014

Tim

Thanks for the additional information. It does look like something is going on other than potential issue with the user count and license limitations. show version should clear up what the license count is and sh vpn-sessiondb summary should give you both current count and maximum counts just to be sure.

In your original post you indicate that usually in the mornings things seem to work ok and it is later in the day when problems start to appear. In the mornings does ASDM work? At least some of the messages seem to indicate memory problems. What do you get from the command show memory?

If this ASA is covered under a maintenance plan it would be appropriate to open a case with Cisco TAC and have them investigate.

HTH

Rick

HTH

Rick

Tim Grant · ‎10-31-2014

Thanks. I don't think it's a license issue (see below).

I have raised with TAC

Cheers

XX-ASA# show vpn-sessiondb

Active Session Summary

Sessions:
                           Active : Cumulative : Peak Concurrent : Inactive
SSL VPN               :       0 :        175 :               2
    Clientless only     :       0 :         18 :               1
    With client         :       0 :        157 :               2 :        0
Email Proxy           :       0 :          0 :               0
IPsec LAN-to-LAN      :       1 :          8 :               1
IPsec Remote Access   :       2 :        100 :               3
VPN Load Balancing    :       0 :          0 :               0
Totals                :       3 :        283

License Information:
IPsec   :    250    Configured :    250    Active :      4    Load :   2%
SSL VPN :    250    Configured :    250    Active :      0    Load :   0%
                            Active : Cumulative : Peak Concurrent
IPsec               :          4 :        240 :               5
SSL VPN             :          0 :        215 :               2
    AnyConnect Mobile :          0 :          0 :               0
    Linksys Phone     :          0 :          0 :               0
Totals              :          4 :        455

Tunnels:
                      Active : Cumulative : Peak Concurrent
IKE           :          3 :        108 :               4
IPsec         :          2 :         15 :               3
IPsecOverNatT :          2 :         99 :               4
Clientless    :          0 :        175 :               2
SSL-Tunnel    :          0 :        213 :               2
DTLS-Tunnel   :          0 :        174 :               2
Totals        :          7 :        784

Active NAC Sessions:
No NAC sessions to display

Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display

Richard Burts · ‎11-01-2014

Tim

You are right that it certainly does not look like a license issue. Please do let us know what TAC finds about this.

HTH

Rick

HTH

Rick