Seeing this issue occur in the afternoons usually. In the mornings WebVPN users are able to login successfully, then we start seeing some fail with the following in the log:
Oct 29 2014 15:02:44: %ASA-6-725003: SSL client outside:X.X.X.X/56221 request to resume previous seion. Oct 29 2014 15:02:44: %ASA-6-725002: Device completed SSL handshake with client outside:X.X.X.X/562 Oct 29 2014 15:02:44: %ASA-6-725007: SSL session with client outside:X.X.X.X/56221 terminated. Oct 29 2014 15:02:56: %ASA-6-725001: Starting SSL handshake with client outside:X.X.X.X/56226 for Tv1 session. Oct 29 2014 15:02:56: %ASA-6-725003: SSL client outside:X.X.X.X/56226 request to resume previous seion. Oct 29 2014 15:02:56: %ASA-6-725002: Device completed SSL handshake with client outside:X.X.X.X/562 Oct 29 2014 15:02:58: %ASA-6-716001: Group <GroupPolicy_XXXX> User <XXXX> IP <X.X.X.XWebVPN session started. Oct 29 2014 15:02:58: %ASA-6-716002: Group <GroupPolicy_XXXX> User <XXXX> IP <X.X.X.XWebVPN session terminated: Service Unavailable.
I haven't seen this "Service Unavailable" before. Any ideas? Thanks
I have not seen that Service Unavailable before and am not sure but I wonder if it could be that you are getting to the point where you have used all the number of sessions specified in your license and new sessions can not initiate because of the license count?
Thanks for the additional information. It does look like something is going on other than potential issue with the user count and license limitations. show version should clear up what the license count is and sh vpn-sessiondb summary should give you both current count and maximum counts just to be sure.
In your original post you indicate that usually in the mornings things seem to work ok and it is later in the day when problems start to appear. In the mornings does ASDM work? At least some of the messages seem to indicate memory problems. What do you get from the command show memory?
If this ASA is covered under a maintenance plan it would be appropriate to open a case with Cisco TAC and have them investigate.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...