SA520 dropping rdp and telnet sessions over site to site IPSEC VPN
Session problem is on a site to site IPSEC VPN between an SA520 and and ASA 5520. The 5520 has numerous other IPSEC VPNs that do not experience this problem. Only the connection with the SA520. This is the only SA520 in the environment, all other devices are ASA's.
RDP and telnet clients sre dropping sessions after session has been established. The circuits on both sides of the site to site vpn are stable and error-free. A continuous ping between the clients and servers remains up and connected with excellent response times. The problem only seems to affect connection based sessions, connection-less sessions like ping perform fine.
Attached is network diagram
Here is error message from ASA at head end.
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x2F469D44, sequence number= 0x29B8) from 22.214.171.124 (user= 126.96.36.199) to 188.8.131.52. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 184.108.40.206, its source as 10.10.10.65, and its protocol as 6. The SA specifies its local proxy as 10.1.0.0/255.255.255.0/0/0 and its remote_proxy as 10.10.10.0/255.255.255.0/0/0.
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x2F469D44, sequence number= 0x29B9) from 220.127.116.11 (user= 18.104.22.168) to 22.214.171.124. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 126.96.36.199, its source as 10.10.10.65, and its protocol as 6. The SA specifies its local proxy as 10.1.0.0/255.255.255.0/0/0 and its remote_proxy as 10.10.10.0/255.255.255.0/0/0.
I have rebooted the SA520 thinking that perhaps the translations table was corrupt, but problem remains. The SA 520 is running firmware version 1.1.21
It is recommended you backup your configuration first before upgrading. Open the web configuration utility of your SA 520, and go to the Administration ->Firmware & Configuration -> Network page. Click Backup button to save your current config.
Then proceed to upgrade your firmware to version 1.1.65 on the same web configuratio utility page.
Re: SA520 dropping rdp and telnet sessions over site to site IPS
The firmware upgrade procedure will not erase your configuration. Once the firmware completes loading, your SA 520 will reboot, and the new firmware will be active, with your configuration the same as before.The 1.1.21 version will become the secondary firmware that you can roll back to.
As for the config backup, call me a scary-cat, but I always try to err on the side of caution, and never try to tempt Murphy's Law to sneak up with a power outage, file transfer interruption or what-not. This way you can always be up and running right up to the moment preceding the upgrade.
Article ID:3091 Reboot and Factory Default Reset on ISA500 Series
Integrated Security Appliances Objective Reboot or restart of the
network device is made when certain changes in the settings need reboot
or if the device is frozen. The configuration setti...
Article ID:3403 WAN Quality of Service (QoS) Policy Profiles Settings on
ISA500 Series Integrated Security Appliances Objective Wide Area Network
(WAN) Quality of Service (QoS) policy profiles manage traffic through
classed-based profiles. These profiles ...
Article ID:2922 Cisco QuickVPN Installation Tips for Windows Operating
Systems For a video showing installation tips on Quick VPN, visit
http://youtu.be/hHu2z6A78N8 Objective Cisco QuickVPN is a free software
designed for remote access to a network. It is...