Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Very strange Client VPN issue on A/S setup

Encountered this issue twice so far. When failover occurs between two ASA5510's, the local IP pool for remote access users no longer works. I have to remove the pool and change the addresses to a different subnet for them to start working again, otherwise I get error 443, unable to obtain IP address for client. There is also a PtP connection to another site that is working just fine on failover, but for some odd reason the client connections suffer from this.

9 REPLIES

Re: Very strange Client VPN issue on A/S setup

Hello Todd,

Can you tell us the IOS version installed in firewalls? Most probably you are hitting a bug.

Regards

New Member

Re: Very strange Client VPN issue on A/S setup

8.0(3)

Re: Very strange Client VPN issue on A/S setup

Is this a stateful failover? I located a bug close to your issue that occurs if address-pool is defined in group-policy. If you have vpn pool defined in group-policy, remove it and define under tunnel-group.

Regards

New Member

Re: Very strange Client VPN issue on A/S setup

Thanks, I will give it a try and see if that corrects it. It is stateful failover and it is in the group policy.

Re: Very strange Client VPN issue on A/S setup

Hello Todd,

Any update?

New Member

Re: Very strange Client VPN issue on A/S setup

Actually yes I have one. There was a failover today and it happened again, even with the pool in the tunnel group. What is interesting is I switched the active back to the primary unit and VPN started working again. Will upgrading to 8.0(4) correct this?

On a side note, failover is sweet, had it not been for this VPN problem, we would have never known it failed over.

Cisco Employee

Re: Very strange Client VPN issue on A/S setup

Hi,

I think your issue is very similar to the one documented in the below Bug Id. But, the interesting part is, if you had configured the VPN Pool under the tunnel group, it should have worked after FO. Having said that, if possible, I would upgrade the ASA to 8.0(4) which has the fix for the below bug and then do the testing again.

CSCsm82887

FO: IPSec RA session not replicated if addr pool defined in group policy

http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/arn804n.html

Regards,

Arul

*Pls rate if it helps*

New Member

Re: Very strange Client VPN issue on A/S setup

Just discovered another issue with VPN. The nat traversal keeps getting disabled. I checked our ACS logs and at no time was no nat traversal issued on either device. Could this be related to the bug?

Re: Very strange Client VPN issue on A/S setup

I have already mentioned Aarul's suggestion.

Todd, first make sure nat-traversal command was/is already replicated to standby. If it was, then try upgrading your IOS

139
Views
0
Helpful
9
Replies