ASA Failover VPN Issues

Unanswered Question
Jan 6th, 2009
User Badges:

It seems each time our ASA's failover (at least once a month), that our Cisco VPN clients no longer connect with a error 433 unknown. Our Anyconnect clients work just fine. Failing back seems to do the trick. Is there anything specific I can look for once this happens again?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
sachinraja Tue, 01/06/2009 - 06:37
User Badges:
  • Red, 2250 points or more

Hey Jason


Is the connectivity to the ASA's external IP fine, during this issue ? Is it a layer 3 issue or something to do at the top layers (authentication, encryption etc ) ?? Did you do a debug when users connect onto the failover ASA ? Hope there are software licenses on the failover unit ! do a debug crypto isakmp, debug aaa authentication etc, to see the exact error and troubleshoot from there ..


Hope this helps.. all the best..


Raj

sachinga.hcl Sun, 04/12/2009 - 18:25
User Badges:
  • Silver, 250 points or more

HI Dear,



Which ASA software version you are using.


Is it 7.2(4)



This turned out to be a Cisco software bug. We were running 7.2(4) when we experienced the failover problem but upgraded to 7.2(4)9 and this resolved the issue.


The related bugs seem to have been:


CSCsl52895 - ASA 7.2.3 number of IPSec SA not replicated in failover unit.


CSCsl82200 - IPSec not encrypting after failover


There is also another bug to be aware of: search for CSCsi18736 in the bug toolkit.



Hope it will work for you.


Please feel free to revert if the isse still unresolved.



Kind Regards,


Sachin

jgorman1977 Mon, 04/13/2009 - 06:02
User Badges:

Sachin,


I was using 8.0(3), but recently upgraded to 8.0(4), and everything seems to be working correctly on failover.


Thanks

Actions

This Discussion