cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
585
Views
0
Helpful
9
Replies

Very strange Client VPN issue on A/S setup

tahequivoice
Level 2
Level 2

Encountered this issue twice so far. When failover occurs between two ASA5510's, the local IP pool for remote access users no longer works. I have to remove the pool and change the addresses to a different subnet for them to start working again, otherwise I get error 443, unable to obtain IP address for client. There is also a PtP connection to another site that is working just fine on failover, but for some odd reason the client connections suffer from this.

9 Replies 9

husycisco
Level 7
Level 7

Hello Todd,

Can you tell us the IOS version installed in firewalls? Most probably you are hitting a bug.

Regards

8.0(3)

Is this a stateful failover? I located a bug close to your issue that occurs if address-pool is defined in group-policy. If you have vpn pool defined in group-policy, remove it and define under tunnel-group.

Regards

Thanks, I will give it a try and see if that corrects it. It is stateful failover and it is in the group policy.

Hello Todd,

Any update?

Actually yes I have one. There was a failover today and it happened again, even with the pool in the tunnel group. What is interesting is I switched the active back to the primary unit and VPN started working again. Will upgrading to 8.0(4) correct this?

On a side note, failover is sweet, had it not been for this VPN problem, we would have never known it failed over.

Hi,

I think your issue is very similar to the one documented in the below Bug Id. But, the interesting part is, if you had configured the VPN Pool under the tunnel group, it should have worked after FO. Having said that, if possible, I would upgrade the ASA to 8.0(4) which has the fix for the below bug and then do the testing again.

CSCsm82887

FO: IPSec RA session not replicated if addr pool defined in group policy

http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/arn804n.html

Regards,

Arul

*Pls rate if it helps*

Just discovered another issue with VPN. The nat traversal keeps getting disabled. I checked our ACS logs and at no time was no nat traversal issued on either device. Could this be related to the bug?

I have already mentioned Aarul's suggestion.

Todd, first make sure nat-traversal command was/is already replicated to standby. If it was, then try upgrading your IOS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: