04-24-2015 05:32 AM
Hi there...
When updating my ASA from 8.4.(7)3 to 8.4(7)26 I got problems with VPNs from FRITZ!Boxes to ASA.
It worked fine for many months but with (7)26 the ASA refuses the connection attempts:
"...Aborting Connection: IKEv1 RA client which did not request an assigned IP is attempting to establish a phase 2 SA for 10.11.12.0."
It never requested an IP before because it is working with NEM and ASA didn't complain about it.
Downgrading to 8.4(7)3 solved the problem immediately.
What has changed from (7)3 to (7)26 in the way, ASA handles NEM VPNs?
Does anybody know?
04-24-2015 05:51 PM
Does this help?
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html
04-27-2015 03:00 AM
Surely I have already checked Release Notes.
Because ASA's behaviour changed from one to another Interim Release (8.4(7)3 --> 8.4(7)26) I also checked
http://www.cisco.com/web/software/280775065/107031/ASA-847-Interim-Release-Notes.html
But I can't find anything that would describe a change explaining my Problem.
Or did I miss something?
06-29-2015 08:30 AM
Meanwhile the cause is found.
With the fix of CSCuo45321 Cisco intentionally excludes third party devices from establishing a VPN to ASA.
Excerpt of description: „Workaround: Stop using non-cisco ikev1 clients that exhibit this behavior.”
My opinion: This is something between brazen and ignorant...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide