01-06-2009 05:50 AM - edited 03-11-2019 07:33 AM
It seems each time our ASA's failover (at least once a month), that our Cisco VPN clients no longer connect with a error 433 unknown. Our Anyconnect clients work just fine. Failing back seems to do the trick. Is there anything specific I can look for once this happens again?
01-06-2009 06:37 AM
Hey Jason
Is the connectivity to the ASA's external IP fine, during this issue ? Is it a layer 3 issue or something to do at the top layers (authentication, encryption etc ) ?? Did you do a debug when users connect onto the failover ASA ? Hope there are software licenses on the failover unit ! do a debug crypto isakmp, debug aaa authentication etc, to see the exact error and troubleshoot from there ..
Hope this helps.. all the best..
Raj
04-12-2009 06:25 PM
HI Dear,
Which ASA software version you are using.
Is it 7.2(4)
This turned out to be a Cisco software bug. We were running 7.2(4) when we experienced the failover problem but upgraded to 7.2(4)9 and this resolved the issue.
The related bugs seem to have been:
CSCsl52895 - ASA 7.2.3 number of IPSec SA not replicated in failover unit.
CSCsl82200 - IPSec not encrypting after failover
There is also another bug to be aware of: search for CSCsi18736 in the bug toolkit.
Hope it will work for you.
Please feel free to revert if the isse still unresolved.
Kind Regards,
Sachin
04-13-2009 06:02 AM
Sachin,
I was using 8.0(3), but recently upgraded to 8.0(4), and everything seems to be working correctly on failover.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: