Re: ASA Failover VPN Issues

jgorman1977 · ‎01-06-2009

It seems each time our ASA's failover (at least once a month), that our Cisco VPN clients no longer connect with a error 433 unknown. Our Anyconnect clients work just fine. Failing back seems to do the trick. Is there anything specific I can look for once this happens again?

sachinraja · ‎01-06-2009

Hey Jason

Is the connectivity to the ASA's external IP fine, during this issue ? Is it a layer 3 issue or something to do at the top layers (authentication, encryption etc ) ?? Did you do a debug when users connect onto the failover ASA ? Hope there are software licenses on the failover unit ! do a debug crypto isakmp, debug aaa authentication etc, to see the exact error and troubleshoot from there ..

Hope this helps.. all the best..

Raj

sachinga.hcl · ‎04-12-2009

HI Dear,

Which ASA software version you are using.

Is it 7.2(4)

This turned out to be a Cisco software bug. We were running 7.2(4) when we experienced the failover problem but upgraded to 7.2(4)9 and this resolved the issue.

The related bugs seem to have been:

CSCsl52895 - ASA 7.2.3 number of IPSec SA not replicated in failover unit.

CSCsl82200 - IPSec not encrypting after failover

There is also another bug to be aware of: search for CSCsi18736 in the bug toolkit.

Hope it will work for you.

Please feel free to revert if the isse still unresolved.

Kind Regards,

Sachin

jgorman1977 · ‎04-13-2009

Sachin,

I was using 8.0(3), but recently upgraded to 8.0(4), and everything seems to be working correctly on failover.

Thanks