Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

"easy vpn" problem after upgrade to 8.3

Anyone

I have a scenario of 3 x asa5505, asa1, asa2 and asa3.

asa1 is the central point  (server if you like). asa2 has a site to site vpn to asa1and works fine (asa1 and 2 has fixed public ip's)

asa3 however does not have a public IP but is sitting behind another (Xyzel) dsl modem/firewall. I have used EasyVPN on asa3 earlier, and all worked fine. After upgrading asa1 to 8.3(2) the tunnel from asa3 to asa1 never comes back up. All I see in the log (ASDM) on asa1 is the following:

"Date and Time stamp" "source IP" Maximum concurrent IKE negotiations exceeded!

I have re-run the Wizard in ASDM on both asa3 and asa1 (easyvpn wizard on asa3, and remote access wizard on asa1)

Anyone?

br

hkl

11 REPLIES
Cisco Employee

Re: "easy vpn" problem after upgrade to 8.3

Hi Kristian,

What is the exact message that you are getting on the ASA? Please post it along with the syslog ID. Also, have you tried rebooting the ASA to see if it helped?

Thanks and regards,

Prapanch

Re: "easy vpn" problem after upgrade to 8.3

praprama wrote:

Hi Kristian,

What is the exact message that you are getting on the ASA? Please post it along with the syslog ID. Also, have you tried rebooting the ASA to see if it helped?

Thanks and regards,

Prapanch

lity

Severity

Message

Time

Hello, and thanks for your responce.

Yes I tried a restart, no difference. Here is a copy of the syslog msg.

br

Kristian

asa-3-713191 local4

error

nov 15 2010 08:02:38: %%asa-3-713191: ip = 88.90.17.178, maximum concurrent ike negotiations exceeded!

15 Nov 2010, 08:02:4

Cisco Employee

Re: "easy vpn" problem after upgrade to 8.3

please attach the show tech if possible, i am particularly interested in the memory, cpu and the blocks

you can just paste the output of

show mem

show cpu

show blocks

Re: "easy vpn" problem after upgrade to 8.3

jathaval wrote:

please attach the show tech if possible, i am particularly interested in the memory, cpu and the blocks

you can just paste the output of

show mem

show cpu

show blocks


Hello

Attached a file with the requested info. This is from asa1. Cannot access asa3 until the vpn is there

br

Kristian

Cisco Employee

Re: "easy vpn" problem after upgrade to 8.3

Hi Kristian,

Please post the outputs of "show cry  isa sa" and "show cry isa stats". It seems like an IKE resource  exhauistion:

http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html

It looks seimilar to http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml#@ID but the version you are running should ideally have the fix.

I would suggest you to open up a TAC case to investigate further and collect all necessary information.

Regards,

Prapanch

Re: "easy vpn" problem after upgrade to 8.3

praprama wrote:

Hi Kristian,

Please post the outputs of "show cry  isa sa" and "show cry isa stats". It seems like an IKE resource  exhauistion:

http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html

It looks seimilar to http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml#@ID but the version you are running should ideally have the fix.

I would suggest you to open up a TAC case to investigate further and collect all necessary information.

Regards,

Prapanch

Hello

Attached a rtf file with the requested info. I will investigate your links, and conntact TAC if this is not only due to my lack of competence.

hkl

Cisco Employee

Re: "easy vpn" problem after upgrade to 8.3

Hi Kristian,

Could you also get the output of "debug menu ike 28 1"?

Regards,

Prapanch

Re: "easy vpn" problem after upgrade to 8.3

praprama wrote:

Hi Kristian,

Could you also get the output of "debug menu ike 28 1"?

Regards,

Prapanch

Hello Prapanch

Here is the requested outpu:

anubis# deb menu ike 28 1

IKE simultaneous P1 negotiations Stats:

  current negotiation count   = 50

  device current limit        = 50 (device default)

  device default limit        = 50

  highwater negotiation count = 50

anubis#

br
Kristian

Cisco Employee

Re: "easy vpn" problem after upgrade to 8.3

Hi,

So the reason why you are getting that log is because we are past the maximum of IKE negotiations the device can handle by default.

Now, the reason for the failure seems to be "Auth Fails" from the output of "show cry isa stats" as the counter for that is large.

I think the best option is to open up a TAC case to investigate further. But please do let me know the results of it. I will be interested in the resolution.

Regards,

Prapanch

New Member

Re: "easy vpn" problem after upgrade to 8.3

Was there any resolution to this issue? I just upgraded to 8.3 and I'm having a similar issue with the easy vpn not connecting.

Re: "easy vpn" problem after upgrade to 8.3

To all who helped out here, sorry for the long silence.

I ended up, resetting the ASA to factory default (which was a struggle in it self for some reason) and rebuilding the config step by step.

Works fine now. I'll be glad to forward my configs to anyone who could need them.

hkl

1568
Views
0
Helpful
11
Replies