ASA Failover VPN Issues

Unanswered Question
Jan 6th, 2009

It seems each time our ASA's failover (at least once a month), that our Cisco VPN clients no longer connect with a error 433 unknown. Our Anyconnect clients work just fine. Failing back seems to do the trick. Is there anything specific I can look for once this happens again?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
sachinraja Tue, 01/06/2009 - 06:37

Hey Jason

Is the connectivity to the ASA's external IP fine, during this issue ? Is it a layer 3 issue or something to do at the top layers (authentication, encryption etc ) ?? Did you do a debug when users connect onto the failover ASA ? Hope there are software licenses on the failover unit ! do a debug crypto isakmp, debug aaa authentication etc, to see the exact error and troubleshoot from there ..

Hope this helps.. all the best..

Raj

sachinga.hcl Sun, 04/12/2009 - 18:25

HI Dear,

Which ASA software version you are using.

Is it 7.2(4)

This turned out to be a Cisco software bug. We were running 7.2(4) when we experienced the failover problem but upgraded to 7.2(4)9 and this resolved the issue.

The related bugs seem to have been:

CSCsl52895 - ASA 7.2.3 number of IPSec SA not replicated in failover unit.

CSCsl82200 - IPSec not encrypting after failover

There is also another bug to be aware of: search for CSCsi18736 in the bug toolkit.

Hope it will work for you.

Please feel free to revert if the isse still unresolved.

Kind Regards,

Sachin

jgorman1977 Mon, 04/13/2009 - 06:02

Sachin,

I was using 8.0(3), but recently upgraded to 8.0(4), and everything seems to be working correctly on failover.

Thanks

Actions

This Discussion