First IPSEC client takes long time to get loginprompt on new ASA5510.
I have a newly installed ASA5510 that will replace an existing 5510 in production.
New Version is 8.2(2)9. Security plus license.
My problem is that the first VPN client connecting to this new device takes about 6 seconds to connect and get the login prompt. Since we have backup VPN servers configured the client will timeout and get transferred to one of these backup servers in another part of the world. I believe the timeout for using the backupservers is 5 seconds.
If the client disconnects and tries to connect again within 10 minutes he will get in to the first ASA just fine.
But if waiting more than 10 minutes between disconnect and reconnect he will get transferred to backup VPN server again.
Checking the log on the client shows nothing more than there is no reply from the server.
Checking the server with basic debugging I can not find anything obvious either.
I have checked ARP with pinging the ASA first on both inside and outside interface and can see that there are entries in the ARP-cache for the gateways.
Maby this is standard behavior for the first vpn-client on a ASA5510 that it has to load certificate store, vpn daemons etc in the memory. Then I got no major problem when putting it into production, but it sems strange and I can not find anything related to this in any documents.
Re: First IPSEC client takes long time to get loginprompt on new
We would need to look at ISAKMP debugging (debug crypto isakmp 127) and debug aaa common 255 - but typically I've seen this scenario if the group that the ASA is connecting to is timing out the first AAA server, and then when it can reach the second AAA server (after marking the first one dead), you get prompted for username/password in the client.
After a while, the AAA server gets marked as 'alive' again so that it's not dead, and the issue recurs
Of course, this is only a guess given that I don't have your configuration, but it's one of the scenarios that fits what you are describing.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :