01-06-2009 05:50 AM - edited 03-11-2019 07:33 AM
It seems each time our ASA's failover (at least once a month), that our Cisco VPN clients no longer connect with a error 433 unknown. Our Anyconnect clients work just fine. Failing back seems to do the trick. Is there anything specific I can look for once this happens again?
01-06-2009 06:37 AM
Hey Jason
Is the connectivity to the ASA's external IP fine, during this issue ? Is it a layer 3 issue or something to do at the top layers (authentication, encryption etc ) ?? Did you do a debug when users connect onto the failover ASA ? Hope there are software licenses on the failover unit ! do a debug crypto isakmp, debug aaa authentication etc, to see the exact error and troubleshoot from there ..
Hope this helps.. all the best..
Raj
04-12-2009 06:25 PM
HI Dear,
Which ASA software version you are using.
Is it 7.2(4)
This turned out to be a Cisco software bug. We were running 7.2(4) when we experienced the failover problem but upgraded to 7.2(4)9 and this resolved the issue.
The related bugs seem to have been:
CSCsl52895 - ASA 7.2.3 number of IPSec SA not replicated in failover unit.
CSCsl82200 - IPSec not encrypting after failover
There is also another bug to be aware of: search for CSCsi18736 in the bug toolkit.
Hope it will work for you.
Please feel free to revert if the isse still unresolved.
Kind Regards,
Sachin
04-13-2009 06:02 AM
Sachin,
I was using 8.0(3), but recently upgraded to 8.0(4), and everything seems to be working correctly on failover.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide