Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5520 with VPN ISAKMP issues

Have two ASA5520's (running 7.2.3 as A/S) configured for Cisco Client VPN but when we try to connect via the VPN Client we don't seem to pass any ISAKMP traffic to the outside port..

the Debug Crypto ISAKMP displays " [IKEv1]: IKE receiver: Local unit is failover enabled but is not currently active."

Our 2 ASA's are configured for A/S and the primary is the active ASA..

PG-ASA1# sh failover

Failover On

Failover unit Primary

Failover LAN Interface: FailoverLink GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 250 maximum

Version: Ours 7.2(3), Mate 7.2(3)

Last Failover at: 07:53:35 EST Nov 17 2007

This host: Primary - Active

Active time: 4086465 (sec)

slot 0: ASA5520 hw/sw rev (2.0/7.2(3)) status (Up Sys)

Interface Outside (1.1.1.1): Normal

Interface inside (172.16.50.150): Normal

Interface DMZ (10.1.1.1): Normal

Interface management (172.31.16.253): Normal

slot 1: empty

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5520 hw/sw rev (2.0/7.2(3)) status (Up Sys)

Interface Outside (1.1.1.2): Normal

Interface inside (172.16.50.152): Normal

Interface DMZ (10.1.1.2): Normal

Interface management (172.31.16.252): Normal

slot 1: empty

The sh crypto ISAKMP Stat shows "In Drop Packets: 170" this climbs by 4 with ever try to vpn in with the client

this same config and client works fine in a 3030concentrator but we would like to move to the ASA and use the 3030Con as a backup any help on this issue???

2 REPLIES
Silver

Re: ASA 5520 with VPN ISAKMP issues

The solution to this problem is to reboot the ASA or re-enable failover on both boxes. This is a failover issue as the IKE receiver thinks that the Primary (Active) ASA is not Active. This issue is similar to Cisco bug : CSCef16655.

Community Member

Re: ASA 5520 with VPN ISAKMP issues

there is no information available about this bug. Do you were able to find any additional workaround other than reset the firewalls.

Thanks,

OScar Perez

211
Views
0
Helpful
2
Replies
CreatePlease to create content