Cisco ASA remote access VPN issues

Posted on 2011-10-12
Last Modified: 2012-05-12

i have recently deployed remote access VPN services on our Cisco ASA 5510 firewall. it seems that some services are randomly blocked when on vpn, for example, rdp connection to internal server disconnects when left idle for 5 minutes, then you can't even ping the server from the vpn connection.

the ASA device also has an IPS module - AIP SSM20, with up to date signatures. i am not currently able to view the IPS through the ASDM / IDM interface. i am guessing there could be an issue with it. i am able to SSH connect to the management port on the IPS module though, and when i do a show health command - it says that overall health status is red. i am guessing this cannot be good?

i have the ASA and IPS events being logged to a Cisco MARS central syslog server. i have viewed the events sourced from these devices in MARS, and i am seeing many packets being dropped for traffic that should really be permitted - in particular, i see these 2 events - packets shunned, and deny packet - no xlate.

like i said, the events above are occuring on traffic that should be allowed as per the configured security policy on the ASA.

Does anybody know what might be causing this? maybe it is something that needs tuning in the IPS module, but as i said, i can't connect to it at the moment due to some unknown issue. maybe the IPS module needs a reboot?

any help on any of the above or any suggestions would be greatly appreciated.

thanks in advance
Question by:L-Plate
    LVL 5

    Accepted Solution

    We have the same setup and of course it can work.  Obviously it does appear to be the IPS causing the issue.  You could disconnect it and/or set the ASA to not use it.  The IPS is a plug in module in the ASA but is more or less it's own computer and has it's own IP.  Do you have that?  Do you have a TAC support contract?

    From your ASDM on the 5510, go to CONFIGURATION > FIREWALL > SERVICE POLICY RULES and disable the service policy rule that is diverting traffic to the IPS module

    Author Comment

    hi mrklaxon,

    thanks for the quick reply. 1st and foremost i think i should reboot the ips module - i can probably do this from ssh connecting to the management ip address on the ips module.

    would you recommend that i disable the service policy rule before i do the reboot?
    LVL 15

    Assisted Solution

    If this was up and running and you recently started having this problem, take a look at the following article. Not 100% sure if this pertains to your issue, but since being VPN related on an asa this was part of a recent vulnerability listed by Cisco on 11/6/2011.

    LVL 5

    Expert Comment

    If you think a reboot is a fix I would do that first - you don't want 2 fixes applied and then wonder which fixed it.  Removing the IPS config on the ASA is only a temp testing solution and has nothing to do with being able to access its management IF, it's only to verify it's causing the block.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now