Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
3
Replies

ASA 5520 running ver 8.0(2) suddenly stops allocating address to VPN client

indra
Level 1
Level 1

‎09-21-2009 05:16 AM - edited ‎03-11-2019 09:17 AM

hi,

I have been noticing this issue of the ASA not able to assign ip address to the RA VPN clients from its local pool. The same config used to work without any issues but suddenly it has stopped working. Earlier also I faced the same issue but got it resolved by using a separate /24 subnet for the address pool as sometimes VLSM creates problems with the vpn address pool. Below is the config which used to work fine and still running. Can someone pls help urgently, it has become a show stopper. Is there any bug related to this.

========================================================================

object-group network RA_VPN_ADD_POOL

network-object 172.16.20.0 255.255.255.0

ip local pool CogVpnPool 172.16.20.1-172.16.20.254 mask 255.255.255.0

crypto ipsec transform-set CogVPNSet esp-aes-256 esp-sha-hmac

crypto dynamic-map RAVPNMAP 1 set pfs

crypto dynamic-map RAVPNMAP 1 set transform-set CogVPNSet

crypto map vpnmap 1 ipsec-isakmp dynamic RAVPNMAP

crypto map vpnmap interface public

crypto isakmp enable public

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local

group-policy CogVpnUsers internal

group-policy CogVpnUsers attributes

banner value ************************

dns-server value ************

vpn-tunnel-protocol IPSec

default-domain value *********.com

address-pools value CogVpnPool

tunnel-group CogVpnUsers type remote-access

tunnel-group CogVpnUsers general-attributes

authentication-server-group LDAP_SRV_GRP

default-group-policy CogVpnUsers

tunnel-group CogVpnUsers ipsec-attributes

pre-shared-key *

=================================================================================================

Labels:
0 Helpful
3 Replies 3

indra
Level 1
Level 1

‎09-21-2009 06:04 AM

also I have noticed that this problem occurs only when there is a failover switchover, and only works if a new ip segment is used. Pls help....

0 Helpful

chris.russell
Level 1
Level 1
In response to indra

‎10-02-2009 06:47 AM

Hi,

We've seen this on non-failover ASA's running v804 and 821.

Cheers

Chris

0 Helpful

indra
Level 1
Level 1
In response to chris.russell

‎10-02-2009 06:52 AM

ok thanks but i resolved this issue. in my case the failover was configured to be replicated over the http protocol which was not able to properly sync the pair for this ip address pool, once i made the replication to run on default the problem got resolved.

thanks for your time and suggestions...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card