VPN Sessions are discarding through Cisco ASA 5520 Firewall.

Dear Team,
In our organization ,recently we are facing a issue with  VPN connections are disconnecting abruptly in reandom time periods ( 5Min,15Min,1Hr also).

We have verified in our SysLog Messages shown as follows:

2011-04-07 19:33:59    Local4.Debug    172.16.1.68    %ASA-7-710005: UDP request discarded from 172.16.40.124/138 to inside:172.16.255.255/138

Here 172.16.40.124 is a LAN IP address,is connecting to Client VPN ,abruptly connecting is getting dropped.
Here 172.16.1.68 is Cisco ASA 5520 inside IP address.

Few Points to be noticed :
- The same was worked well in Cisco Pix 515E Firewall ,After changed to Cisco ASA 5520,it is giving the issue.

- All Ports are allowed for outbound traffic with a Source Network 172.16.40.0/24 to their  Client VPN.

- This issue is giving for other Subnet Users i.e 172.16.33.0/24 to their Cleint VPN sessions & I allowed all Ports for them for Outbound traffic.

- Pls confirm is there  any feature in ASA is casuing for terminating the sessions which was not in Cisco PIX 515E.

- ASA version is 8.0(3)

Regards
Ramu
CMC LTD



 


LVL 1
RAMU CHAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
There is a bug (CSCsq50494) listed in the 8.0(4) release notes (http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/arn804n.html) that indicates this was fixed, perhaps a NAT-T issue.  You might try upgrading from 8.0(2) to at least 8.0(4).
0
RAMU CHAuthor Commented:
Thanks for your info.

But  as this is a Production Appliance and Version is 8.0(3) ,(not 8.0(2)).Still is it needs to upgrade to 8.0(4).
Can u give assurance ,will this fixed if i upgrade to 8.0(4), if so Will you help me with  the steps ,how  to upgrade 8.0(4) from  8.0(3) with out  making the Firewall to non-functional (Down state) so that will try to do that.

Regards
Ramu
CMC LTD
0
John MeggersNetwork ArchitectCommented:
I can't make any guarantees.  If you want that, call Cisco TAC.

The upgrade process is not difficult.  You will have to download the new image from Cisco's web site and put it onto a local TFTP or FTP server in your organization.  
-- Console (or telnet or ssh) into the ASA
-- Look at disk0: to make sure you have enough space to store the new image.  "dir disk0:"
-- Assuming the space is available, tftp the image from the server to the ASA.
"copy tftp disk0:" then answer the questions about IP address of the server and file name to be transferred.
--If there's not enough space on disk0: you will have to delete something, perhaps the existing image.
-- Configure or modify a boot statement on the ASA pointing to the new image.  "boot system disk0:<image_name>    Make sure you remove any other boot statement so there's only one, or at least the new one is first. Save the configuration with the new boot statement, then type "reload" to reboot the ASA.  When the ASA has rebooted, do a "show version" to make sure the running OS is the one you want.


0
koudryCommented:
Hello,

In addition to upgrading to the new IOS on your VPN server (ASA device), you may also want to check if you have specified anywhere the maximum number of VPN users / IP addresses to be connected at one given time. You can check if that number is being exceeded, since your VPN server normally has a range of IP reserved for the VPN clients. So the question is what happens when the IP pool is used up.

Just a shot in the dark but it is worth checking this as well.

Thanks.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RAMU CHAuthor Commented:
Thanks

Regards
Ramu
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.