Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
1
Replies

First IPSEC client takes long time to get loginprompt on new ASA5510.

robert-olsson
Level 1
Level 1

‎06-30-2010 05:00 AM - edited ‎02-21-2020 04:42 PM

Hi all,

I have a newly installed ASA5510 that will replace an existing 5510 in production.

New Version is 8.2(2)9. Security plus license.

My problem is that the first VPN client connecting to this new device takes about 6 seconds to connect and get the login prompt. Since we have backup VPN servers configured the client will timeout and get transferred to one of these backup servers in another part of the world. I believe the timeout for using the backupservers is 5 seconds.

If the client disconnects and tries to connect again within 10 minutes he will get in to the first ASA just fine.

But if waiting more than 10 minutes between disconnect and reconnect he will get transferred to backup VPN server again.

Checking the log on the client shows nothing more than there is no reply from the server.

Checking the server with basic debugging I can not find anything obvious either.

I have checked ARP with pinging the ASA first on both inside and outside interface and can see that there are entries in the ARP-cache for the gateways.

Maby this is standard behavior for the first vpn-client on a ASA5510 that it has to load certificate store, vpn daemons etc in the memory. Then I got no major problem when putting it into production, but it sems strange and I can not find anything related to this in any documents.

Any comments or ideas are apreciated.

Reg

//R

Labels:
0 Helpful
1 Reply 1

Jason Gervia
Cisco Employee
Cisco Employee

‎07-05-2010 07:12 AM

Hello,


We would need to look at ISAKMP debugging (debug crypto isakmp 127) and debug aaa common 255 - but typically I've seen this scenario if the group that the ASA is connecting to is timing out the first AAA server, and then when it can reach the second AAA server (after marking the first one dead), you get prompted for username/password in the client.

After a while, the AAA server gets marked as 'alive' again so that it's not dead, and the issue recurs

Of course, this is only a guess given that I don't have your configuration, but it's one of the scenarios that fits what you are describing.

--Jason

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents