I have a weird problem with clients connectivity through IPSec. I have setup an ASA5520(8.3(2)) as a VPN concentrator. The DHCP is served from windows machine.
From time to time it happens, that no one can connect - immediately they get 433 Error message, but there are also no logs on ASA.
I found out that when it happens there is problem with DHCP - ASA holds dynamic allocated IP address in IPSec SA, but on DHCP there is no record for that IP address. So every new client get this IP address and as soon as client uses it, the ASA will disconnect it, because this address is already in use. To fix this issue I have to either clear SA for this dynamic address or remove this dynamic address from DHCP server.
The DHCP lease time is longer than IPSec SA lifetime. So there should not be problem with idle clients (disconnected without proper logout)
The other thing is I can see that show ipsec sa displays:
Crypto map tag: Gdynmap, seq num: 20, local addr: 10.233.129.201
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
Martin, bug #CSCts45189 has been filed for this issue. Unfortunately we haven't been able to reproduce this problem in the lab and due to the impact this has had on customer environments, most people who run into this problem move to using DHCP pools or some other form of address assignment(as Shane indicated). If you haven't done so and you are willing to help us troubleshoot this problem then we will be quite grateful. In that case when you next run into this issue, please open a TAC case right away with the following debugs:
1) logging class ipaa trap 6
2) debug dhcpc error
3) debug dhcpc detail
4) debug dhcpc packet
5) debug dhcpd event 255
6) debug dhcpd packet 255
6) When it's failing, check the loggin database to see whether that ip addr is in use :
show vpn-sessiondb anyconnect filter a-ipaddress
7) asp captures on ASA interface that the DHCP server(s) attached to.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...