Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
0
Helpful
2
Replies

ASA 5520 with VPN ISAKMP issues

pauls
Level 1
Level 1

‎01-03-2008 12:03 PM - last edited on ‎03-25-2019 05:39 PM by Community Manager

Have two ASA5520's (running 7.2.3 as A/S) configured for Cisco Client VPN but when we try to connect via the VPN Client we don't seem to pass any ISAKMP traffic to the outside port..

the Debug Crypto ISAKMP displays " [IKEv1]: IKE receiver: Local unit is failover enabled but is not currently active."

Our 2 ASA's are configured for A/S and the primary is the active ASA..

PG-ASA1# sh failover

Failover On

Failover unit Primary

Failover LAN Interface: FailoverLink GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 250 maximum

Version: Ours 7.2(3), Mate 7.2(3)

Last Failover at: 07:53:35 EST Nov 17 2007

This host: Primary - Active

Active time: 4086465 (sec)

slot 0: ASA5520 hw/sw rev (2.0/7.2(3)) status (Up Sys)

Interface Outside (1.1.1.1): Normal

Interface inside (172.16.50.150): Normal

Interface DMZ (10.1.1.1): Normal

Interface management (172.31.16.253): Normal

slot 1: empty

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5520 hw/sw rev (2.0/7.2(3)) status (Up Sys)

Interface Outside (1.1.1.2): Normal

Interface inside (172.16.50.152): Normal

Interface DMZ (10.1.1.2): Normal

Interface management (172.31.16.252): Normal

slot 1: empty

The sh crypto ISAKMP Stat shows "In Drop Packets: 170" this climbs by 4 with ever try to vpn in with the client

this same config and client works fine in a 3030concentrator but we would like to move to the ASA and use the 3030Con as a backup any help on this issue???

Labels:
0 Helpful
2 Replies 2

amritpatek
Level 6
Level 6

‎01-09-2008 11:49 AM

The solution to this problem is to reboot the ASA or re-enable failover on both boxes. This is a failover issue as the IKE receiver thinks that the Primary (Active) ASA is not Active. This issue is similar to Cisco bug : CSCef16655.

0 Helpful

oscar.perez
Level 1
Level 1
In response to amritpatek

‎05-12-2008 11:34 AM

there is no information available about this bug. Do you were able to find any additional workaround other than reset the firewalls.

Thanks,

OScar Perez

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card