Very strange Client VPN issue on A/S setup

Unanswered Question
Nov 18th, 2008
User Badges:

Encountered this issue twice so far. When failover occurs between two ASA5510's, the local IP pool for remote access users no longer works. I have to remove the pool and change the addresses to a different subnet for them to start working again, otherwise I get error 443, unable to obtain IP address for client. There is also a PtP connection to another site that is working just fine on failover, but for some odd reason the client connections suffer from this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Tue, 11/18/2008 - 07:17
User Badges:
  • Gold, 750 points or more

Hello Todd,

Can you tell us the IOS version installed in firewalls? Most probably you are hitting a bug.


Regards

husycisco Tue, 11/18/2008 - 08:13
User Badges:
  • Gold, 750 points or more

Is this a stateful failover? I located a bug close to your issue that occurs if address-pool is defined in group-policy. If you have vpn pool defined in group-policy, remove it and define under tunnel-group.


Regards

tahequivoice Tue, 11/18/2008 - 08:28
User Badges:

Thanks, I will give it a try and see if that corrects it. It is stateful failover and it is in the group policy.

husycisco Fri, 11/21/2008 - 04:59
User Badges:
  • Gold, 750 points or more

Hello Todd,

Any update?

tahequivoice Wed, 12/10/2008 - 11:53
User Badges:

Actually yes I have one. There was a failover today and it happened again, even with the pool in the tunnel group. What is interesting is I switched the active back to the primary unit and VPN started working again. Will upgrading to 8.0(4) correct this?


On a side note, failover is sweet, had it not been for this VPN problem, we would have never known it failed over.

ajagadee Wed, 12/10/2008 - 12:26
User Badges:
  • Cisco Employee,

Hi,


I think your issue is very similar to the one documented in the below Bug Id. But, the interesting part is, if you had configured the VPN Pool under the tunnel group, it should have worked after FO. Having said that, if possible, I would upgrade the ASA to 8.0(4) which has the fix for the below bug and then do the testing again.


CSCsm82887

FO: IPSec RA session not replicated if addr pool defined in group policy


http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/arn804n.html


Regards,

Arul


*Pls rate if it helps*

tahequivoice Wed, 12/10/2008 - 13:49
User Badges:

Just discovered another issue with VPN. The nat traversal keeps getting disabled. I checked our ACS logs and at no time was no nat traversal issued on either device. Could this be related to the bug?

husycisco Wed, 12/10/2008 - 14:12
User Badges:
  • Gold, 750 points or more

I have already mentioned Aarul's suggestion.


Todd, first make sure nat-traversal command was/is already replicated to standby. If it was, then try upgrading your IOS


Actions

This Discussion