ASA 8.4(7)26 vs FRITZ!Box VPN

stephan.ochs · ‎04-24-2015

Hi there...

When updating my ASA from 8.4.(7)3 to 8.4(7)26 I got problems with VPNs from FRITZ!Boxes to ASA.
It worked fine for many months but with (7)26 the ASA refuses the connection attempts:

"...Aborting Connection: IKEv1 RA client which did not request an assigned IP is attempting to establish a phase 2 SA for 10.11.12.0."

It never requested an IP before because it is working with NEM and ASA didn't complain about it.

Downgrading to 8.4(7)3 solved the problem immediately.

What has changed from (7)3 to (7)26 in the way, ASA handles NEM VPNs?

Does anybody know?

ArchiTech89 · ‎04-24-2015

Does this help?

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany

stephan.ochs · ‎04-27-2015

Surely I have already checked Release Notes.
Because ASA's behaviour changed from one to another Interim Release (8.4(7)3 --> 8.4(7)26) I also checked
http://www.cisco.com/web/software/280775065/107031/ASA-847-Interim-Release-Notes.html

But I can't find anything that would describe a change explaining my Problem.

Or did I miss something?

stephan.ochs · ‎06-29-2015

Meanwhile the cause is found.

With the fix of CSCuo45321 Cisco intentionally excludes third party devices from establishing a VPN to ASA.
Excerpt of description: „Workaround: Stop using non-cisco ikev1 clients that exhibit this behavior.”

My opinion: This is something between brazen and ignorant...