Cisco ASA remote access VPN issues


i have recently deployed remote access VPN services on our Cisco ASA 5510 firewall. it seems that some services are randomly blocked when on vpn, for example, rdp connection to internal server disconnects when left idle for 5 minutes, then you can't even ping the server from the vpn connection.

the ASA device also has an IPS module - AIP SSM20, with up to date signatures. i am not currently able to view the IPS through the ASDM / IDM interface. i am guessing there could be an issue with it. i am able to SSH connect to the management port on the IPS module though, and when i do a show health command - it says that overall health status is red. i am guessing this cannot be good?

i have the ASA and IPS events being logged to a Cisco MARS central syslog server. i have viewed the events sourced from these devices in MARS, and i am seeing many packets being dropped for traffic that should really be permitted - in particular, i see these 2 events - packets shunned, and deny packet - no xlate.

like i said, the events above are occuring on traffic that should be allowed as per the configured security policy on the ASA.

Does anybody know what might be causing this? maybe it is something that needs tuning in the IPS module, but as i said, i can't connect to it at the moment due to some unknown issue. maybe the IPS module needs a reboot?

any help on any of the above or any suggestions would be greatly appreciated.

thanks in advance
Who is Participating?
mrklaxonConnect With a Mentor Commented:
We have the same setup and of course it can work.  Obviously it does appear to be the IPS causing the issue.  You could disconnect it and/or set the ASA to not use it.  The IPS is a plug in module in the ASA but is more or less it's own computer and has it's own IP.  Do you have that?  Do you have a TAC support contract?

From your ASDM on the 5510, go to CONFIGURATION > FIREWALL > SERVICE POLICY RULES and disable the service policy rule that is diverting traffic to the IPS module
L-PlateAuthor Commented:
hi mrklaxon,

thanks for the quick reply. 1st and foremost i think i should reboot the ips module - i can probably do this from ssh connecting to the management ip address on the ips module.

would you recommend that i disable the service policy rule before i do the reboot?
Robert Sutton JrConnect With a Mentor Senior Network ManagerCommented:
If this was up and running and you recently started having this problem, take a look at the following article. Not 100% sure if this pertains to your issue, but since being VPN related on an asa this was part of a recent vulnerability listed by Cisco on 11/6/2011.

If you think a reboot is a fix I would do that first - you don't want 2 fixes applied and then wonder which fixed it.  Removing the IPS config on the ASA is only a temp testing solution and has nothing to do with being able to access its management IF, it's only to verify it's causing the block.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.