Cisco ASA 5510 Anyconnect VPN fails every 36-48 hours
Posted on 2015-01-22
3 weeks ago the SSL Certificate on our Cisco ASA 5510 was replaced as it had expired. I did not do the replacement, the system's admin did. We have always used AnyConnect VPN with CSD enabled and there have never been any issues with that. Since the replacement of the certificate, about every 36-48 hours the vpn will fail at the client with the message " Posture assessment failed: "Unable to get the available CSD version from the secure gateway" and will not allow any new vpn client connections but does maintain any of those that are currently logged in. The solution is to do a reload on the primary asa host and this clears up the issue.
I have already been through Cisco TAC about this and they cannot find anything out of the ordinary that could be causing this. I have done my own research and the only thing close that I found was to add a line
crypto engine large-mod-accel
as the new certificate is of the 2048 encryption variety and the previous was 1024. This is a bug according to Cisco release notes (we have 8.4(3) running. I did add that line and restarted both ASA in the failover pair, but to no avail as last night at 10pm it happened again. I am at my wits end and this certainly isn't boding well for my reputation at work, I just started this job 3 months ago.
Is there anyone here that can possibly assist me with this issue or anyone that has experienced this issue before? Disabling CSD/HostScan is not an option either.
Thanks in advance.