I’m running a Cisco 3845 with a AIM-VPN/SSL-3 Module. My WAN Interface (a DSL Connection) is configured with NAT overload. This is also the interface where the sslvpn connection is terminating. If a user connects from the internet to the SSLVPN in full tunnel mode and uses the internet a buffer leak occurs in the middle pool and after certain time the router crashes. The IOS which is running on the device is c3845-adventerprisek9-mz.151-4.M7.bin. I also tried out the latest Version c3845-adventerprisek9-mz.151-4.M8.bin but it doesn't make any differences.
sh buffers Buffer elements: 674 in free list (500 max allowed) 3064635 hits, 0 misses, 617 created
Public buffer pools: Small buffers, 104 bytes (total 183, permanent 150, peak 183 @ 01:03:44): 176 in free list (50 min, 300 max allowed) 959716 hits, 194 misses, 13 trims, 46 created 0 failures (0 no memory) Middle buffers, 600 bytes (total 823, permanent 400, peak 823 @ 00:45:03): 458 in free list (400 min, 800 max allowed) 91468 hits, 225 misses, 69 trims, 492 created 0 failures (0 no memory) Big buffers, 1536 bytes (total 741, permanent 500, peak 773 @ 01:03:46): 685 in free list (500 min, 1000 max allowed) 1333349 hits, 519 misses, 75 trims, 316 created 0 failures (0 no memory) VeryBig buffers, 4520 bytes (total 45, permanent 45, peak 48 @ 04:16:10): 44 in free list (35 min, 65 max allowed) 183629 hits, 1 misses, 3 trims, 3 created 0 failures (0 no memory) Large buffers, 5024 bytes (total 35, permanent 35, peak 36 @ 04:16:10): 35 in free list (25 min, 65 max allowed) 0 hits, 0 misses, 1 trims, 1 created 0 failures (0 no memory) Huge buffers, 18024 bytes (total 4, permanent 4, peak 5 @ 04:16:10): 4 in free list (2 min, 8 max allowed) 0 hits, 0 misses, 1 trims, 1 created 0 failures (0 no memory)
The 'sh buffer' output above is quite fresh after a reload of the device. When users generate a lot of traffic to the internet from a Full tunnel Connection the used buffers in the middle pool rises until no IO memory is left on the device. I can check this with 'show memory statistic history' :
Ok, it looks like sslvpn code is broken in IOS 15.1(4)M - see CSCug17485. However, the memory leak only occurs if clients connect from the internet to the NAT-Enabled WAN interface and generated bulk traffic. If I connect from the inside of the network to the webvpn Server (same Interface) and generate traffic everything is fine.
IOS 15.0 hasn't this issue but there I can't get windows7 clients to authenticate probably using the anyconnect client. First I got the error message "anyconnect cannot confirm it is connected to your secure gateway". After some research I tried to import the Certificate by hand and the next error message i got is "anyconnect connection attempt has failed due to network or pc issue". I deleted all tempfiles associated with anyconnect, checked firewall and antivirus, reinstalled the client and tried different version but no success. Anyway a connection from a android mobile device with the latest anyconnect client works fine.
Anybody an idea how to get this up & running on IOS 15.0-1.M10
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...