11-18-2008 06:45 AM - edited 02-21-2020 04:02 PM
Encountered this issue twice so far. When failover occurs between two ASA5510's, the local IP pool for remote access users no longer works. I have to remove the pool and change the addresses to a different subnet for them to start working again, otherwise I get error 443, unable to obtain IP address for client. There is also a PtP connection to another site that is working just fine on failover, but for some odd reason the client connections suffer from this.
11-18-2008 07:17 AM
Hello Todd,
Can you tell us the IOS version installed in firewalls? Most probably you are hitting a bug.
Regards
11-18-2008 07:29 AM
8.0(3)
11-18-2008 08:13 AM
Is this a stateful failover? I located a bug close to your issue that occurs if address-pool is defined in group-policy. If you have vpn pool defined in group-policy, remove it and define under tunnel-group.
Regards
11-18-2008 08:28 AM
Thanks, I will give it a try and see if that corrects it. It is stateful failover and it is in the group policy.
11-21-2008 04:59 AM
Hello Todd,
Any update?
12-10-2008 11:53 AM
Actually yes I have one. There was a failover today and it happened again, even with the pool in the tunnel group. What is interesting is I switched the active back to the primary unit and VPN started working again. Will upgrading to 8.0(4) correct this?
On a side note, failover is sweet, had it not been for this VPN problem, we would have never known it failed over.
12-10-2008 12:26 PM
Hi,
I think your issue is very similar to the one documented in the below Bug Id. But, the interesting part is, if you had configured the VPN Pool under the tunnel group, it should have worked after FO. Having said that, if possible, I would upgrade the ASA to 8.0(4) which has the fix for the below bug and then do the testing again.
CSCsm82887
FO: IPSec RA session not replicated if addr pool defined in group policy
http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/arn804n.html
Regards,
Arul
*Pls rate if it helps*
12-10-2008 01:49 PM
Just discovered another issue with VPN. The nat traversal keeps getting disabled. I checked our ACS logs and at no time was no nat traversal issued on either device. Could this be related to the bug?
12-10-2008 02:12 PM
I have already mentioned Aarul's suggestion.
Todd, first make sure nat-traversal command was/is already replicated to standby. If it was, then try upgrading your IOS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide