Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 SSL VPN LOG failed

%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.

%ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.

%ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293

%ASA-6-113012: AAA user authentication Successful : local database : user = admin

%ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin

%ASA-6-113008: AAA transaction status ACCEPT : user = admin

%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy

%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin

%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile

%ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy

%ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
%ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.

%ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)

%ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)

%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.

%ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.

%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.

%ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.

Red error what is the reason? Only appears in the window 2003 server.

Everyone's tags (8)
5 REPLIES
VIP Purple

Re: ASA 5505 SSL VPN LOG failed

You probably have this in your config:

group-policy SSLCLientPolicy attributes

  vpn-simultaneous-logins 2

And the two allowed simultaneous logins are reached. Either use a different username or increase this limit.

EDIT:

I just see in your config thta the above is *not* the reason! You don't have a license to use more then two SSL-sessions. For that you need the AnyConnect Premium or the AnyConnect Essentials license. Both is not applied to the ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ASA 5505 SSL VPN LOG failed

thanks   !!!

but......

Fault: the old way

Logging: the old way

 

New Member

ASA 5505 SSL VPN LOG failed

ciscoasa# show   activation-key 
Serial Number:  JMX1314Z1UV
Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6

Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 10       
Failover                       : Disabled
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 10       
Dual ISPs                      : Disabled 
VLAN Trunk Ports               : 0        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled 
AnyConnect for Cisco VPN Phone : Disabled 
AnyConnect Essentials          : Disabled 
Advanced Endpoint Assessment   : Disabled 
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled 

This platform has a Base license.

The flash activation key is the SAME as the running key.
ciscoasa#

Sure ?it was licence question?

ASA 5505 SSL VPN LOG failed

Hello Shikun,

Here is the thing that Karsten is telling you:

SSL VPN Peers                  : 2        

This means that there can be only to SSL sessions to your ASA, until one of them get's closed you could innitiate a new session.

You can disconnect all the sessions and give it a try to see it working.

Command to check how many SSL sessions exist to our ASA:

sh vpn-sessiondb webvpn

Command to clear the current SSL session on our ASA:

vpn-sessiondb logoff webvpn

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 5505 SSL VPN LOG failed

Command to check how many SSL sessions exist to our ASA:

sh vpn-sessiondb webvpn

ciscoasa# show vpn-sessiondb webvpn 
INFO: There are presently no active sessions

ciscoasa# show ssl 

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: aes128-sha1

Disabled ciphers: 3des-sha1 des-sha1 rc4-md5 rc4-sha1 aes256-sha1 null-sha1

No SSL trust-points configured

Certificate authentication is not enabled

The use of aes128-sha1 win2003server even web interface are not open!

3357
Views
0
Helpful
5
Replies