Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

First IPSEC client takes long time to get loginprompt on new ASA5510.

Hi all,

I have a newly installed ASA5510 that will replace an existing 5510 in production.

New Version is 8.2(2)9. Security plus license.

My problem is that the first VPN client connecting to this new device takes about 6 seconds to connect and get the login prompt. Since we have backup VPN servers configured the client will timeout and get transferred to one of these backup servers in another part of the world. I believe the timeout for using the backupservers is 5 seconds.

If the client disconnects and tries to connect again within 10 minutes he will get in to the first ASA just fine.

But if waiting more than 10 minutes between disconnect and reconnect he will get transferred to backup VPN server again.

Checking the log on the client shows nothing more than there is no reply from the server.

Checking the server with basic debugging I can not find anything obvious either.

I have checked ARP with pinging the ASA first on both inside and outside interface and can see that there are entries in the ARP-cache for the gateways.

Maby this is standard behavior for the first vpn-client on a ASA5510 that it has to load certificate store, vpn daemons etc in the memory. Then I got no major problem when putting it into production, but it sems strange and I can not find anything related to this in any documents.

Any comments or ideas are apreciated.

Reg

//R

1 REPLY
Cisco Employee

Re: First IPSEC client takes long time to get loginprompt on new

Hello,


We would need to look at ISAKMP debugging (debug crypto isakmp 127) and debug aaa common 255 - but typically I've seen this scenario if the group that the ASA is connecting to is timing out the first AAA server, and then when it can reach the second AAA server (after marking the first one dead), you get prompted for username/password in the client.

After a while, the AAA server gets marked as 'alive' again so that it's not dead, and the issue recurs

Of course, this is only a guess given that I don't have your configuration, but it's one of the scenarios that fits what you are describing.

--Jason

354
Views
0
Helpful
1
Replies
CreatePlease to create content