ASA 5520 - VPN disconnects and ASA shows the error msg "%ASA-4-402123"

Unanswered Question
Jun 10th, 2007
User Badges:

Hello All,


When a remote user connects via the VPN client, they experience a disconnection a few seconds after they have authenticated successfully.


I checked the ASA logs and notice the following msg:


%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid IP Version, code= 0x17) while executing the command Write IPSec Outbound SA (0x4014).


I checked the what this error msg means and its recommended action was to contact the TAC. The ASA 5520 is brand new out of the box


Could the community help me troubleshoot this issue.


The sh ver is as follows:


######## sh ver


Cisco Adaptive Security Appliance Software Version 7.1(2)

Device Manager Version 5.1(2)


Compiled on Tue 14-Mar-06 17:00 by dalecki

System image file is "disk0:/asa712-k8.bin"

Config file at boot was "startup-config"


###### up 5 days 17 hours


Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB


Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 001a.6dea.4946, irq 9

1: Ext: GigabitEthernet0/1 : address is 001a.6dea.4947, irq 9

2: Ext: GigabitEthernet0/2 : address is 001a.6dea.4948, irq 9

3: Ext: GigabitEthernet0/3 : address is 001a.6dea.4949, irq 9

4: Ext: Management0/0 : address is 001a.6dea.4945, irq 11

5: Int: Not licensed : irq 11

6: Int: Not licensed : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2


This platform has an ASA 5520 VPN Plus license.


Serial Number: ########

Running Activation Key: #####

Configuration register is 0x1

Configuration last modified by enable_15 at 08:01:59.725 UTC Sun Jun 10 2007

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
b.speltz Thu, 06/14/2007 - 08:09
User Badges:
  • Bronze, 100 points or more

It may due to remote peer sends wrong ESP packet. need to check crypto configuration.


Also check this Bug -id's: CSCsc64621.


Actions

This Discussion