I saw error message in Cisco ASA 5525-X.
Any body have any idea?
%ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error (HWErrAddr= 0x194FE5B4, Core= 0, HwErrCode= 23, IstatReg= 0x8, PciErrReg= 0x0, CoreErrStat= 0xD, CoreErrAddr= 0x2FAFE5B4, Doorbell Size= 2048, DoorBell Outstanding= 0, Doorbell Size= 0, DoorBell Outstanding= 0, SWReset= 1536)
%ASA-4-402127: CRYPTO: The ASA is skipping the writing of latest Crypto Archive File as the maximum # of files ( 2 ) allowed have been written to < disk0:/crypto_archive >. Please archive & remove files from < disk0:/crypto_archive > if you want more Crypto Archive Files saved
According to the Bug description it would seem that there is no workaround mentioned for this.
So I guess the only thing would be to upgrade the ASA to one of the software levels that are listed as software that should correct this bug.
Its strange though that it lists the only 8.2 software levels as the known affected ones. But the ASA model you have does not even support that software. The first (lowest) software listed that your ASA would support is the 8.6(1)2 and then there is ofcourse the 9.x series softwares. I guess it might be possible that this is not the same bug.
You did not mention your current software level though so I am not sure what you are already running on the ASA.
I guess one important thing would also be if you or your users are expiriencing any problems with the mentioned services like VPN or Management connections?
If in doubt I guess you should really open a TAC case to get better information on your problem and the best solution to correct this.
The above log messages seem to suggest that there is 2 files in your Flash memory and the ASA will not be able to generate more files (I guess because of this error situation). You could naturally copy these files to some host/server and then remove them from the Flash to make room for new ones. Atleast this is what the log messages seems to suggest to do.
I think you should be able to view the contents of the folder with the command
You could then copy the files from the Flash and delete them.
I guess these files might be something that the Cisco TAC could take a look when if you open a case.
My version was 9.1.1.
When I was in this version, I deleted the 2 files but it will appears again when I login to IPSec VPN and access Internet from IPSec VPN client.
2 Files that I deleted.
I upgrade ASA to 9.1.2, and the problem still appear.
I then upgrade ASA to 9.1.4, and the error message disappear, the 2 files were also gone.
The problem is I still cannot access Internet from my IPSec VPN client.
Your Internet connection problem from the VPN Client is most likely because of some configurations that you are missing.
If you are using Full Tunnel VPN Client which essentially means that when your VPN connection is active then all traffic is tunneled to the VPN connection.
If this is the case then you would atleast need Dynamic PAT for your VPN users.
If I were to presume that your external interface is called "outside" then a sample configuration might be like this
object network VPN-PAT
nat (outside,outside) dynamic interface
This would do Dynamic PAT for your VPN users which are connecting through "outside" interface and connecting towards "outside" interface also (Internet)
You would also have to make sure you have this command on your ASA
same-security-traffic permit intra-interface
This would enable traffic to enter and leave through the same interface. This essentially happens when your VPN user traffic is coming through the VPN connection from "outside" and is heading out to the Internet through the "outside" also.
But if the above is the problem is impossible for me to say without more information of your current ASA configuration.
You seem to have the configurations I suggested. You have also configured VPN Filter ACL though you have allowed all traffic.
The problem might be that you have some other NAT configuration that is preventing these connections from working.
For example some typical ASA NAT0 configuration might even cause this problem.
You could look for a "nat" configuration that has "source static any any" and has the VPN Pool network in the "destination static" section. If you find one its likely that this NAT configuration is being matched when your VPN Clients try to connect to the Internet.
I would suggest having a VPN test connection to the ASA and monitoring the ASA logs through ASDM filtering for the VPN Client IP and looking what happens to the connections towards Internet. Perhaps they are blocked or perhaps the above mentioned type of NAT configuration might actually forward the traffic to the wrong interface of the ASA.
The IPSec VPN client problem is related to ASA version. I had tried 9.1.1, 9.1.2 and 9.1.4. All version 9 will cause problem.
I downgrade ASA version to 8.6.1, the problem disappear.
I will log a case to Cisco via my vendor.
Thanks all for the dicussion.