I've come across a preplexing situation I've never seen before, and can't explain, and am asking the collective wisdom to see if anyone else may have an explainatiion.
Background : $POE has a pair of ASA5520's (active/standby) running at our internet edge. Said ASA's terminate remote access, client-based VPN's with split-tunnelling for teleworkers. I, for my sins, inhereted management of these devices, and owing to the nature of the business it is *extremely* difficult to find time to try and improve/change the configurations because the firewalls are almost always in use.
ASA software version is 8.2(1).
Normally, this is not an issue, and Just Works. Recently, owing to some business restructure, we've had a fairly large increase in the number of VPN users who need to logon on - not necessarily concurrently (we only hit 10 or so online, max), but overall number of users.
Yesterday, I had a user complain that they couldn't access network resources despite being connected to the VPN. Remotely connecting to her desktop showed that, indeed, her VPN was up. Checking into the Firewall console I could see the connection and that it was receiving data but NOT sending data outbound.
I assumed a client issue (we are, unfortunately, still using the old Cisco Systems VPN client) with the relatively new Windows 7 laptop, and installed the Shrew Soft VPN client, which worked.
Shortly later, I got another helpdesk job referring to a similar issue. Looked at the firewall and saw the exact same situation - connection online and authenticated, receiving data but NOT sending.
Just by chance, I noticed that the IP address allocated to the client was the same one as the previous user with the problem. There were IP addresses both before and after this address in use, so I knew we weren't running into a limit in the scope (there's a /24 allocated to the VPN users) - but the last user who had the problem was now online with a completely different IP adderss and working fine.
For the life of me, I can NOT think why one specific IP address would throw up this kind of symptom. Both the users were in different parts of the country, so there was no similarity in source address for the VPN connection, one was running XP and one running Windows 7, different usernames etc - the only thing in common was the IP address which they were allocated.
Has anyone ever seen this kind of thing? For information, the "faulty" IP address was .177 in a /24 range.
I killed/reset the pool, along with some tweaks to the time limits on re-using IP addresses so hopefully it won't happen again - but I'm curious to find out if anyone can shed light on what might have caused it.
Thanks for the pointers - I honestly didn't consider this might be a known bug - Friday was a loooong day!
I'll see if I can't schedule a software upgrade, although given that my boss is seriously considering replacing the ASA's with something better, I might just live with it until I know one way or another.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...