Solved

Cisco ASA 5510 Anyconnect VPN fails every 36-48 hours

Posted on 2015-01-22
3
1,095 Views
Last Modified: 2015-02-11
3 weeks ago the SSL Certificate on our Cisco ASA 5510 was replaced as it had expired.  I did not do the replacement, the system's admin did.  We have always used AnyConnect VPN with CSD enabled and there have never been any issues with that.  Since the replacement of the certificate, about every 36-48 hours the vpn will fail at the client with the message " Posture assessment failed: "Unable to get the available CSD version from the secure gateway" and will not allow any new vpn client connections but does maintain any of those that are currently logged in.  The solution is to do a reload on the primary asa host and this clears up the issue.  

I have already been through Cisco TAC about this and they cannot find anything out of the ordinary that could be causing this.  I have done my own research and the only thing close that I found was to add a line

crypto engine large-mod-accel

as the new certificate is of the 2048 encryption variety and the previous was 1024.  This is a bug according to Cisco release notes (we have 8.4(3) running.  I did add that line and restarted both ASA in the failover pair, but to no avail as last night at 10pm it happened again.  I am at my wits end and this certainly isn't boding well for my reputation at work, I just started this job 3 months ago.

Is there anyone here that can possibly assist me with this issue or anyone that has experienced this issue before?  Disabling CSD/HostScan is not an option either.

Thanks in advance.
0
Comment
Question by:Timothy Kashin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 40572737
Well, first I'd start beating up on TAC, and ask for them to escalate the issue.  Don't let them off the phone until the problem is resolved.  Start at 8:00 AM and just work through the day.

Honestly, your employer shouldn't expect you to be more knowledgeable about a product than the actual vendor.

Another work around would be to try installing a different certificate with 1024-bit encryption.  

Another option would be to upgrade the OS version on the ASA.
0
 
LVL 3

Author Comment

by:Timothy Kashin
ID: 40603729
Thanks for the reply.  The TAC seems to have no idea how to solve the problem.  The certificate change didn't make a difference, I already tried that route and we are at the highest version available for the ASA5510.  I'll keep working on it until we find that resolution or replace the device with a Palo Alto next year.
0
 
LVL 3

Author Closing Comment

by:Timothy Kashin
ID: 40603731
Apparently this is not a common issue, but it seems to be since it's happening on both of our production ASA devices.  I have even tried to completely reload the ASA back to before the original cert change to resolve this issue to no avail.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question