Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

upgrade from version 8.4 to 9.03 vpn issues

Hi all

I have upgraded my asa's from 8.4 to 9.03 3 days ago

today we started losing all our site to site vpns

This has happened 3 times today, they then come back up on there own, the vpns are up but dont pass any traffic

any ideas ?

cheers

  • Firewalling
4 REPLIES
VIP Green

upgrade from version 8.4 to 9.03 vpn issues

Have you had issues with the VPN the prior 3 days? Have you checked with your ISP to make sure it is not them that is having issues?

have you checked the logs to see if something there might indicate what is happening?

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

upgrade from version 8.4 to 9.03 vpn issues

The VPN connections have been ok since Friday

The ISP was also ok

The messages I saw I the logs kept saying no ike version matches this connection or something like that!

Any ideas?

VIP Green

upgrade from version 8.4 to 9.03 vpn issues

Would you be able to post the full error you were recieving?

Are both ends of the site-2-site tunnel terminated on ASA running version 9.1?

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer

upgrade from version 8.4 to 9.03 vpn issues

"no ike version matches this connection" is ambiguous; if the connection is failing to come up it's an error and the underlying cause needs to be fixed.  If you have a mix of IKE1 and IKE2 stuff and the IKE2 stuff is warning that it can't do negotiations with IKE1, but proceeding to complete negotiations, then it's not a problem.  I'm with Marius, we need more configuration information and log file to provide context for advice.   What other crypto-related messages are being logged?

Also, could you post sanitized versions of things like:

   sho run crypto

The amount of log information collected will go up if you can do things like:

  logging trap debugging

  logging debug-trace

  debug crypto ...

Historically Cisco has suggested debug levels of 10, 120, and 254 to me depending on what we were looking for.

-- Jim Leinweber, WI State Lab of Hygiene

135
Views
0
Helpful
4
Replies