VPN Sessions are discarding through Cisco ASA 5520 Firewall.
Dear Team,
In our organization ,recently we are facing a issue with VPN connections are disconnecting abruptly in reandom time periods ( 5Min,15Min,1Hr also).
We have verified in our SysLog Messages shown as follows:
2011-04-07 19:33:59 Local4.Debug 172.16.1.68 %ASA-7-710005: UDP request discarded from 172.16.40.124/138 to inside:172.16.255.255/138
Here 172.16.40.124 is a LAN IP address,is connecting to Client VPN ,abruptly connecting is getting dropped.
Here 172.16.1.68 is Cisco ASA 5520 inside IP address.
Few Points to be noticed :
- The same was worked well in Cisco Pix 515E Firewall ,After changed to Cisco ASA 5520,it is giving the issue.
- All Ports are allowed for outbound traffic with a Source Network 172.16.40.0/24 to their Client VPN.
- This issue is giving for other Subnet Users i.e 172.16.33.0/24 to their Cleint VPN sessions & I allowed all Ports for them for Outbound traffic.
- Pls confirm is there any feature in ASA is casuing for terminating the sessions which was not in Cisco PIX 515E.
- ASA version is 8.0(3)
Regards
Ramu
CMC LTD
In our organization ,recently we are facing a issue with VPN connections are disconnecting abruptly in reandom time periods ( 5Min,15Min,1Hr also).
We have verified in our SysLog Messages shown as follows:
2011-04-07 19:33:59 Local4.Debug 172.16.1.68 %ASA-7-710005: UDP request discarded from 172.16.40.124/138 to inside:172.16.255.255/138
Here 172.16.40.124 is a LAN IP address,is connecting to Client VPN ,abruptly connecting is getting dropped.
Here 172.16.1.68 is Cisco ASA 5520 inside IP address.
Few Points to be noticed :
- The same was worked well in Cisco Pix 515E Firewall ,After changed to Cisco ASA 5520,it is giving the issue.
- All Ports are allowed for outbound traffic with a Source Network 172.16.40.0/24 to their Client VPN.
- This issue is giving for other Subnet Users i.e 172.16.33.0/24 to their Cleint VPN sessions & I allowed all Ports for them for Outbound traffic.
- Pls confirm is there any feature in ASA is casuing for terminating the sessions which was not in Cisco PIX 515E.
- ASA version is 8.0(3)
Regards
Ramu
CMC LTD
John Meggers
There is a bug (CSCsq50494) listed in the 8.0(4) release notes (http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/arn804n.html) that indicates this was fixed, perhaps a NAT-T issue. You might try upgrading from 8.0(2) to at least 8.0(4).
ASKER
Thanks for your info.
But as this is a Production Appliance and Version is 8.0(3) ,(not 8.0(2)).Still is it needs to upgrade to 8.0(4).
Can u give assurance ,will this fixed if i upgrade to 8.0(4), if so Will you help me with the steps ,how to upgrade 8.0(4) from 8.0(3) with out making the Firewall to non-functional (Down state) so that will try to do that.
Regards
Ramu
CMC LTD
But as this is a Production Appliance and Version is 8.0(3) ,(not 8.0(2)).Still is it needs to upgrade to 8.0(4).
Can u give assurance ,will this fixed if i upgrade to 8.0(4), if so Will you help me with the steps ,how to upgrade 8.0(4) from 8.0(3) with out making the Firewall to non-functional (Down state) so that will try to do that.
Regards
Ramu
CMC LTD
I can't make any guarantees. If you want that, call Cisco TAC.
The upgrade process is not difficult. You will have to download the new image from Cisco's web site and put it onto a local TFTP or FTP server in your organization.
-- Console (or telnet or ssh) into the ASA
-- Look at disk0: to make sure you have enough space to store the new image. "dir disk0:"
-- Assuming the space is available, tftp the image from the server to the ASA.
"copy tftp disk0:" then answer the questions about IP address of the server and file name to be transferred.
--If there's not enough space on disk0: you will have to delete something, perhaps the existing image.
-- Configure or modify a boot statement on the ASA pointing to the new image. "boot system disk0:<image_name> Make sure you remove any other boot statement so there's only one, or at least the new one is first. Save the configuration with the new boot statement, then type "reload" to reboot the ASA. When the ASA has rebooted, do a "show version" to make sure the running OS is the one you want.
The upgrade process is not difficult. You will have to download the new image from Cisco's web site and put it onto a local TFTP or FTP server in your organization.
-- Console (or telnet or ssh) into the ASA
-- Look at disk0: to make sure you have enough space to store the new image. "dir disk0:"
-- Assuming the space is available, tftp the image from the server to the ASA.
"copy tftp disk0:" then answer the questions about IP address of the server and file name to be transferred.
--If there's not enough space on disk0: you will have to delete something, perhaps the existing image.
-- Configure or modify a boot statement on the ASA pointing to the new image. "boot system disk0:<image_name> Make sure you remove any other boot statement so there's only one, or at least the new one is first. Save the configuration with the new boot statement, then type "reload" to reboot the ASA. When the ASA has rebooted, do a "show version" to make sure the running OS is the one you want.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
Regards
Ramu
Regards
Ramu