Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SA520 dropping rdp and telnet sessions over site to site IPSEC VPN

Session problem is on a site to site IPSEC VPN between an SA520 and and ASA 5520. The 5520 has numerous other IPSEC VPNs that do not experience this problem. Only the connection with the SA520. This is the only SA520 in the environment, all other devices are ASA's.

RDP and telnet clients sre dropping sessions after session has been established. The circuits on both sides of the site to site vpn are stable and error-free. A continuous ping between the clients and servers remains up and connected with excellent response times. The problem only seems to affect connection based sessions, connection-less sessions like ping perform fine.

Attached is network diagram

Here is error message from ASA at head end.

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x2F469D44, sequence number= 0x29B8) from 66.167.8.26 (user= 66.167.8.26) to 8.192.40.4.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 216.115.208.199, its source as 10.10.10.65, and its protocol as 6.  The SA specifies its local proxy as 10.1.0.0/255.255.255.0/0/0 and its remote_proxy as 10.10.10.0/255.255.255.0/0/0.

%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x2F469D44, sequence number= 0x29B9) from 66.167.8.26 (user= 66.167.8.26) to 8.192.40.4.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 216.115.208.199, its source as 10.10.10.65, and its protocol as 6.  The SA specifies its local proxy as 10.1.0.0/255.255.255.0/0/0 and its remote_proxy as 10.10.10.0/255.255.255.0/0/0.

I have rebooted the SA520 thinking that perhaps the translations table was corrupt, but problem remains. The SA 520 is running firmware version 1.1.21

Suggestions ?

3 REPLIES
Cisco Employee

Re: SA520 dropping rdp and telnet sessions over site to site IPS

Hi akeyr,

Please update your firmware to the latest release version 1.1.65 as we have addressed many issues including RDP over IPSec tunnel issues.

Please visit the cisco support/download page for the SA 500 series to obtain the latest firmware and see release notes of issues addressed.

http://www.cisco.com/en/US/products/ps9932/tsd_products_support_series_home.html

It is recommended you backup your configuration first before upgrading. Open the web configuration utility of your SA 520, and go to the Administration ->Firmware & Configuration -> Network page.  Click Backup button to save your current config.

Then proceed to upgrade your firmware to version 1.1.65 on the same web configuratio utility page.

Best regards,

Julio

New Member

Re: SA520 dropping rdp and telnet sessions over site to site IPS

Thanks I suspected as much. I understand the precaution of backing the configuration up.

Will the unit by default lose its config after a firmware upgrade, or should  the sa520 boot up with the last config after the  firmware upgrade.

Cisco Employee

Re: SA520 dropping rdp and telnet sessions over site to site IPS

Hi akeyr,

The firmware upgrade procedure will not erase your configuration.  Once the firmware completes loading, your SA 520 will reboot, and the new firmware will be active, with your configuration the same as before.The 1.1.21 version will become the secondary firmware that you can roll back to.

As for the config backup, call me a scary-cat, but I always try to err on the side of caution, and never try to tempt Murphy's Law to sneak up with a power outage, file transfer interruption or what-not.    This way you can always be up and running right up to the moment preceding the upgrade.

Cheers,

Julio

1314
Views
0
Helpful
3
Replies
CreatePlease login to create content