RE: OT: Remote Access VPN 8.4(2)+

From: Ryan West <rwest_at_zyedge.com>
Date: Mon, 26 Mar 2012 09:57:19 +0000

Alexei,

I know you've taken heat before for running interim releases, but Cisco
recommends it in their PSIRT... can't win =/ Running old 8.0 main release was
a disaster for VPN stability.

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa
-20120314-asa

-ryan

From: Alexei Monastyrnyi [mailto:alexeim73_at_gmail.com]
Sent: Monday, March 26, 2012 5:49 AM
To: Ryan West
Cc: Jay McMickle; CCIE Lab
Subject: Re: OT: Remote Access VPN 8.4(2)+

seems like it is not on the list of resolved caveats... so you may have to
wait

no wonder it is sev1, a VERY popular design :-)
Revision: Version 8.4.3(8) - 03/01/2012
Files: asa843-8-k8.bin, asa843-8-smp-k8.bin
Defects resolved since 8.4.3:
CSCsv94848<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsv
94848&Submit=Search>

Warning message for, "igmp static-group" - affective should be effective

CSCsz04730<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsz
04730&Submit=Search>

PIX/ASA: When route changes connections over IPSEC tunnel not torn down

CSCtj45148<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtj
45148&Submit=Search>

ASA 8.3 upgrade traceback in thread pix_flash_config_thread

CSCtj79795<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtj
79795&Submit=Search>

WebVPN:flv file within the Flowplayer object is not played over webvpn

CSCtk97719<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtk
97719&Submit=Search>

WebVPN & ASDM doesn't work on Chrome with AES & 3DES ciphers

CSCto34765<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCto
34765&Submit=Search>

ASA may traceback in Thread Name: DATAPATH-1-1235 (ipsecvpn-crypto)

CSCto88412<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCto
88412&Submit=Search>

Radius Proxy to SDI - AnyConnect prompts for next PASSCODE but shouldn't

CSCtq15197<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtq
15197&Submit=Search>

WebVPN:flv file within the Flowplayer object is not mangled correctly

CSCtq88111<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtq
88111&Submit=Search>

object group not cleared when used for pat pool

CSCtr31788<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtr
31788&Submit=Search>

Standby ASA generates syslog 210005 while transmitting data on FTP

CSCtr38739<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtr
38739&Submit=Search>

Link outage in Etherchannel causes interface down and failover

CSCtr44930<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtr
44930&Submit=Search>

Nested obj does not work if contained in src and dst of ACL

CSCts10661<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts
10661&Submit=Search>

SSM-4GE doesn't handle unicast packets after "hw-module module 1 reset"

CSCts18480<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts
18480&Submit=Search>

ASA IKEv1 Traceback in vpnfol_thread_msg ike_fo_create_new_sa on Standby

CSCts42362<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts
42362&Submit=Search>

Message from ASA is not displayed about password complexity requirements

CSCts98806<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts
98806&Submit=Search>

Standby ASA 5585 Reporting Service Card Failure on Signature Update

CSCtt03492<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt
03492&Submit=Search>

ASA should not send data in the 3rd message of TCP 3WHS w/ LDAP over SSL

CSCtt13455<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt
13455&Submit=Search>

netflow: template only send once with default timeout-rate

CSCtt45090<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt
45090&Submit=Search>

ASA5505: Primary active unit crash due to mismatched host-limit license

CSCtt47502<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt
47502&Submit=Search>

show vpn-sessiondb does not show LZS compression stats for Anyconnect

CSCtt74695<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt
74695&Submit=Search>

wrong vpn-filter gets applied when peers have overlapping address space

CSCtt96526<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt
96526&Submit=Search>

SharePoint2010:Cannot create new document

CSCtt98991<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt
98991&Submit=Search>

ASA: Decrypted VPN packets dropped due to bad-tcp-cksum when using NAT-T

CSCtu00961<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
00961&Submit=Search>

Some specific flash file doesn't work through WebVPN on ASA

CSCtu03117<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
03117&Submit=Search>

npshim: Shared License Registration Fails w/ Empty TP applied to Int

CSCtu04723<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
04723&Submit=Search>

vpnclient mac-exempt cmd inconsistent when adding more than 16 entries

CSCtu04754<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
04754&Submit=Search>

ASA may traceback citing Thread Name: qos_metric_daemon as culprit

CSCtu10620<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
10620&Submit=Search>

WebVPN:flv file within the Flowplayer object is not played over webvpn

CSCtu14396<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
14396&Submit=Search>

ASA has stale ASP classification entries for Anyconnect tunnels

CSCtu21128<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
21128&Submit=Search>

cannot pass "=" sign within the value of a parameter for the SSH plugin

CSCtu26615<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
26615&Submit=Search>

Clientless VPN paging application failure

CSCtu27846<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
27846&Submit=Search>

Backup Shared license server remains ACTIVE even when the Master is up

CSCtu30581<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
30581&Submit=Search>

ASA 5580 traceback when CSM attempts deployment

CSCtu39200<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
39200&Submit=Search>

ASA traceback in emweb/https while bringing up many webvpn sessions

CSCtu42772<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
42772&Submit=Search>

ASA webvpn doesn't rewrite some redirect messages properly

CSCtu57453<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu
57453&Submit=Search>

ASA: Traceback after removing 'ip address dhcp setroute' with DDNS

CSCtv19046<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtv
19046&Submit=Search>

DACL is not applied to AC when connection via the webportal

CSCtv19854<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtv
19854&Submit=Search>

Incorrect MPF conn counts cause %ASA-3-201011 and DoS condition for user

CSCtw45576<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
45576&Submit=Search>

TCP sequence space check ignored in some cases

CSCtw45723<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
45723&Submit=Search>

WebVPN: CIFS: Incorrect MIME type for PDF files - iPad/iPhone

CSCtw50362<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
50362&Submit=Search>

ASA - Failover message may be lost during transition to active state

CSCtw52591<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
52591&Submit=Search>

Environmental SNMP Traps Are Not Available on ASA5585 SSP-40

CSCtw52716<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
52716&Submit=Search>

ASA5585 show inventory not updated

CSCtw55462<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
55462&Submit=Search>

Traceback: assert failure on thread radius_snd

CSCtw56707<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
56707&Submit=Search>

%ASA-3-201011: Connection limit exceeded when not hitting value

CSCtw56859<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
56859&Submit=Search>

Natted traffic not getting encrypted after reconfiguring the crypto ACL

CSCtw58640<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
58640&Submit=Search>

When ASA sends a username with a "\", WSA logs errors.

CSCtw58682<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
58682&Submit=Search>

SSLVPN Portal uses incorrect DNS Group after failover

CSCtw58945<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
58945&Submit=Search>

L2TP over IPSec connections fail with ldap authorization and mschapv2

CSCtw59562<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
59562&Submit=Search>

ACL Hashes calculated during config migration are wrong

CSCtw60220<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
60220&Submit=Search>

Port Address Translation (PAT) causes higher CPU after upgrade

CSCtw63996<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
63996&Submit=Search>

Page fault traceback with thread name "pix_flash_config_thread".

CSCtw71420<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
71420&Submit=Search>

ASA 5585-X does not provide aggregate system CPU load value via SNMP

CSCtw75613<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
75613&Submit=Search>

ASA: Traceback in Unicorn Admin Handler when making DAP changes via ASDM

CSCtw78059<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
78059&Submit=Search>

print warning if interface in logging host cmd conflicts with routes

CSCtw78415<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
78415&Submit=Search>

ASA may reload with traceback in Dispatch Unit related to WAAS inspect

CSCtw84007<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
84007&Submit=Search>

ASA does not recognize IPv6 VPN filter access-list for AnyConnect client

CSCtw84087<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
84087&Submit=Search>

IKEv2: ASA does not re-establish more than one SA after disconnect

CSCtw89522<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
89522&Submit=Search>

Cut-through proxy - users unable to log in

CSCtw90179<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
90179&Submit=Search>

ASA:In a rare corner case ASA may crash while modifying FQDN object/acl

CSCtw93059<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
93059&Submit=Search>

Page fault traceback in crypto_lib_keypair_show_mypubkey_all

CSCtw95487<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw
95487&Submit=Search>

ASA mem leak w/EZVPN when Subject DN has Multiple C,O,OU,CN fields.

CSCtx01251<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
01251&Submit=Search>

ASA: May traceback in DATAPATH during capture

CSCtx03464<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
03464&Submit=Search>

Standby ASA traceback in DATAPATH-0-1400 or Dispatch Unit

CSCtx08182<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
08182&Submit=Search>

Nas-Port attribute different for authentication and accounting

CSCtx08346<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
08346&Submit=Search>

tunnel-group-preference not respected for AnyConnect 3.0 aggregate_auth

CSCtx08354<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
08354&Submit=Search>

Traceback when memory low and memory profile enabled

CSCtx10196<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
10196&Submit=Search>

Webvpn : Javascript rewrite causing login button to be inactive

CSCtx11578<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
11578&Submit=Search>

ASA does not start DPD when phase 1 up but phase 2 down

CSCtx16166<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
16166&Submit=Search>

ASA may not log syslogs 611101, 605005 for asdm sessions to certain int

CSCtx25170<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
25170&Submit=Search>

Configuring a network object with an invalid range causes traceback

CSCtx25910<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
25910&Submit=Search>

class-map doesn't work after replacing ACL

CSCtx28628<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
28628&Submit=Search>

Clientless - VLAN assign't under group-policy breaks tunneled dflt route

CSCtx32455<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
32455&Submit=Search>

SunRpc: Change from dynamic ACL to pin-hole mechanism

CSCtx33347<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
33347&Submit=Search>

Standby ASA traceback while trying to replicate xlates

CSCtx36026<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
36026&Submit=Search>

VPN session failure due to auth handle depletion

CSCtx38644<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
38644&Submit=Search>

Webvpn: Can't copy & paste in web portal with IE8 and IE9

CSCtx42643<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
42643&Submit=Search>

Received unexpected event EV_REMOVE in state AM_WAIT_DELETE

CSCtx42746<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
42746&Submit=Search>

cut through proxy authentication vulnerability

CSCtx57829<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
57829&Submit=Search>

Syslog 324001 Reason string is missing

CSCtx58556<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
58556&Submit=Search>

ActiveX RDP Plugin fails to connect from WIn7 PC after upgrade to 8.4(3)

CSCtx62037<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
62037&Submit=Search>

"X-CSTP-Tunnel-All-DNS" not properly set in SMP images for split-dns

CSCtx65353<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
65353&Submit=Search>

ASA: 8.4 Page fault traceback while displaying "sh run threat-detection"

CSCtx69008<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
69008&Submit=Search>

ASA: Page Fault traceback in ssh thread when changing IKEv2 config

CSCtx69018<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
69018&Submit=Search>

MSFT KB2585542 breaks cut-thru proxy and IUA

CSCtx69059<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
69059&Submit=Search>

Traceback in Unicorn Proxy Thread under heavy WebVPN load

CSCtx69498<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx
69498&Submit=Search>

Traceback when Converting ACL Remarks of 100 Characters

CSCty11414<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCty
11414&Submit=Search>

ASA Crashes or Simply Reloads With Signal 11 in Unicorn Proxy Thread

On 3/26/2012 7:09 PM, Ryan West wrote:

Thanks for looking, up for a maint window and look what I find from the bug
feed:

Bug Id: CSCty32412

Headline: ASA: Anyconnect u-turn to ipsec tunnel fails after upgrade to
8.4.3.1

Description: Symptom: ASA after a upgrade to 8.4.3.1 or later, anyconnect
traffic that will uturn (hairpin) to a ipsec lan to lan tunnel is dropped. The
show asp drop shows the following reason: Expired VPN context
(vpn-context-expired) No log message is generated for the drops. Conditions:
Anyconnect client uturns into a ipsec lan to lan tunnel. Workaround: 1)
downgrade to 8.4.3 2) Use ipsec vpn client as a temporary workaround

Status: Assigned

Last Modified date: 2012-03-25 18:09:13.0

Url:
https://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet
chBugDetails&bugId=CSCty32412

Listed as a sev1.

-ryan

-----Original Message-----

From: Jay McMickle [mailto:jay.mcmickle_at_yahoo.com]

Sent: Sunday, March 25, 2012 4:56 PM

To: Ryan West

Cc: CCIE Lab

Subject: Re: OT: Remote Access VPN 8.4(2)+

I'm not in front of an ASA, but I don't believe you need the out,out nat.
That's mainly for DNS rewrite.

Have you applied "permit same-security traffic intra"? If the hairpin VPN was
working prior to the upgrade, I doubt it's that. Next, I thought of proxy-arp,
but you mentioned that's been done. The only other item could be your 8.4
equivalent of no-nat.

What does your nat statement look like for the VPN subnets?

Regards,

Jay McMickle- CCNP,CCSP,CCDP

Sent from iJay

On Mar 25, 2012, at 2:10 PM, Ryan West
<rwest_at_zyedge.com><mailto:rwest_at_zyedge.com> wrote:

Before I go the TAC route, I'm wondering if anyone has come across this one.
I was running 8.4(1)11 and had fully migrated all NAT rules to working 8.3+
versions. After the upgrade to 8.4(3), I ran into issues with proxy-arp, which
have been solved. Remote access VPNs with destinations across site to site
tunnels is where I'm stuck. A twice nat (outside,outside) makes sense to me,
but does not work. The previous method of no nat that translates into a twice
nat is also failing.

Has anyone come across this type of config and can post a sanitized snippet
for the twice nat?

For illustration, let's say my ip local pool is 10.1.1.0/24 and the fw has a
site to site tunnel to 10.1.2.0/24. Assume that I have same-security permit
intra-interface already configure as well. I'll post configs later.

Thanks!

-ryan

Sent from handheld

Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 26 2012 - 09:57:19 ART

This archive was generated by hypermail 2.2.0 : Sun Apr 01 2012 - 07:56:52 ART