Re: OT: Remote Access VPN 8.4(2)+

From: Alexei Monastyrnyi <alexeim73_at_gmail.com>
Date: Mon, 26 Mar 2012 21:20:44 +1100

yeah, we had some issues with I reckon some of 7.x interims,
8.2 was/is quite stable, wasn't it?

On 3/26/2012 8:57 PM, Ryan West wrote:
>
> Alexei,
>
> I know you've taken heat before for running interim releases, but
> Cisco recommends it in their PSIRT... can't win =/ Running old 8.0
> main release was a disaster for VPN stability.
>
> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa
>
> -ryan
>
> *From:*Alexei Monastyrnyi [mailto:alexeim73_at_gmail.com]
> *Sent:* Monday, March 26, 2012 5:49 AM
> *To:* Ryan West
> *Cc:* Jay McMickle; CCIE Lab
> *Subject:* Re: OT: Remote Access VPN 8.4(2)+
>
> seems like it is not on the list of resolved caveats... so you may
> have to wait
>
> no wonder it is sev1, a VERY popular design :-)
>
> Revision: Version 8.4.3(8) -- 03/01/2012
>
> Files: asa843-8-k8.bin, asa843-8-smp-k8.bin
>
> Defects resolved since 8.4.3:
>
> _CSCsv94848
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsv94848&Submit=Search>_
>
>
>
> Warning message for, "igmp static-group" - affective should be effective
>
> _CSCsz04730
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsz04730&Submit=Search>_
>
>
>
> PIX/ASA: When route changes connections over IPSEC tunnel not torn down
>
> _CSCtj45148
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtj45148&Submit=Search>_
>
>
>
> ASA 8.3 upgrade traceback in thread pix_flash_config_thread
>
> _CSCtj79795
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtj79795&Submit=Search>_
>
>
>
> WebVPN:flv file within the Flowplayer object is not played over webvpn
>
> _CSCtk97719
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtk97719&Submit=Search>_
>
>
>
> WebVPN & ASDM doesn't work on Chrome with AES & 3DES ciphers
>
> _CSCto34765
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCto34765&Submit=Search>_
>
>
>
> ASA may traceback in Thread Name: DATAPATH-1-1235 (ipsecvpn-crypto)
>
> _CSCto88412
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCto88412&Submit=Search>_
>
>
>
> Radius Proxy to SDI - AnyConnect prompts for next PASSCODE but shouldn't
>
> _CSCtq15197
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtq15197&Submit=Search>_
>
>
>
> WebVPN:flv file within the Flowplayer object is not mangled correctly
>
> _CSCtq88111
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtq88111&Submit=Search>_
>
>
>
> object group not cleared when used for pat pool
>
> _CSCtr31788
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtr31788&Submit=Search>_
>
>
>
> Standby ASA generates syslog 210005 while transmitting data on FTP
>
> _CSCtr38739
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtr38739&Submit=Search>_
>
>
>
> Link outage in Etherchannel causes interface down and failover
>
> _CSCtr44930
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtr44930&Submit=Search>_
>
>
>
> Nested obj does not work if contained in src and dst of ACL
>
> _CSCts10661
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts10661&Submit=Search>_
>
>
>
> SSM-4GE doesn't handle unicast packets after "hw-module module 1 reset"
>
> _CSCts18480
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts18480&Submit=Search>_
>
>
>
> ASA IKEv1 Traceback in vpnfol_thread_msg ike_fo_create_new_sa on Standby
>
> _CSCts42362
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts42362&Submit=Search>_
>
>
>
> Message from ASA is not displayed about password complexity requirements
>
> _CSCts98806
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts98806&Submit=Search>_
>
>
>
> Standby ASA 5585 Reporting Service Card Failure on Signature Update
>
> _CSCtt03492
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt03492&Submit=Search>_
>
>
>
> ASA should not send data in the 3rd message of TCP 3WHS w/ LDAP over SSL
>
> _CSCtt13455
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt13455&Submit=Search>_
>
>
>
> netflow: template only send once with default timeout-rate
>
> _CSCtt45090
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt45090&Submit=Search>_
>
>
>
> ASA5505: Primary active unit crash due to mismatched host-limit license
>
> _CSCtt47502
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt47502&Submit=Search>_
>
>
>
> show vpn-sessiondb does not show LZS compression stats for Anyconnect
>
> _CSCtt74695
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt74695&Submit=Search>_
>
>
>
> wrong vpn-filter gets applied when peers have overlapping address space
>
> _CSCtt96526
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt96526&Submit=Search>_
>
>
>
> SharePoint2010:Cannot create new document
>
> _CSCtt98991
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt98991&Submit=Search>_
>
>
>
> ASA: Decrypted VPN packets dropped due to bad-tcp-cksum when using NAT-T
>
> _CSCtu00961
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu00961&Submit=Search>_
>
>
>
> Some specific flash file doesn't work through WebVPN on ASA
>
> _CSCtu03117
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu03117&Submit=Search>_
>
>
>
> npshim: Shared License Registration Fails w/ Empty TP applied to Int
>
> _CSCtu04723
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu04723&Submit=Search>_
>
>
>
> vpnclient mac-exempt cmd inconsistent when adding more than 16 entries
>
> _CSCtu04754
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu04754&Submit=Search>_
>
>
>
> ASA may traceback citing Thread Name: qos_metric_daemon as culprit
>
> _CSCtu10620
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu10620&Submit=Search>_
>
>
>
> WebVPN:flv file within the Flowplayer object is not played over webvpn
>
> _CSCtu14396
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu14396&Submit=Search>_
>
>
>
> ASA has stale ASP classification entries for Anyconnect tunnels
>
> _CSCtu21128
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu21128&Submit=Search>_
>
>
>
> cannot pass "=" sign within the value of a parameter for the SSH plugin
>
> _CSCtu26615
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu26615&Submit=Search>_
>
>
>
> Clientless VPN paging application failure
>
> _CSCtu27846
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu27846&Submit=Search>_
>
>
>
> Backup Shared license server remains ACTIVE even when the Master is up
>
> _CSCtu30581
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu30581&Submit=Search>_
>
>
>
> ASA 5580 traceback when CSM attempts deployment
>
> _CSCtu39200
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu39200&Submit=Search>_
>
>
>
> ASA traceback in emweb/https while bringing up many webvpn sessions
>
> _CSCtu42772
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu42772&Submit=Search>_
>
>
>
> ASA webvpn doesn't rewrite some redirect messages properly
>
> _CSCtu57453
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu57453&Submit=Search>_
>
>
>
> ASA: Traceback after removing 'ip address dhcp setroute' with DDNS
>
> _CSCtv19046
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtv19046&Submit=Search>_
>
>
>
> DACL is not applied to AC when connection via the webportal
>
> _CSCtv19854
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtv19854&Submit=Search>_
>
>
>
> Incorrect MPF conn counts cause %ASA-3-201011 and DoS condition for user
>
> _CSCtw45576
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw45576&Submit=Search>_
>
>
>
> TCP sequence space check ignored in some cases
>
> _CSCtw45723
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw45723&Submit=Search>_
>
>
>
> WebVPN: CIFS: Incorrect MIME type for PDF files - iPad/iPhone
>
> _CSCtw50362
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw50362&Submit=Search>_
>
>
>
> ASA - Failover message may be lost during transition to active state
>
> _CSCtw52591
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw52591&Submit=Search>_
>
>
>
> Environmental SNMP Traps Are Not Available on ASA5585 SSP-40
>
> _CSCtw52716
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw52716&Submit=Search>_
>
>
>
> ASA5585 show inventory not updated
>
> _CSCtw55462
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw55462&Submit=Search>_
>
>
>
> Traceback: assert failure on thread radius_snd
>
> _CSCtw56707
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw56707&Submit=Search>_
>
>
>
> %ASA-3-201011: Connection limit exceeded when not hitting value
>
> _CSCtw56859
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw56859&Submit=Search>_
>
>
>
> Natted traffic not getting encrypted after reconfiguring the crypto ACL
>
> _CSCtw58640
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw58640&Submit=Search>_
>
>
>
> When ASA sends a username with a "\", WSA logs errors.
>
> _CSCtw58682
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw58682&Submit=Search>_
>
>
>
> SSLVPN Portal uses incorrect DNS Group after failover
>
> _CSCtw58945
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw58945&Submit=Search>_
>
>
>
> L2TP over IPSec connections fail with ldap authorization and mschapv2
>
> _CSCtw59562
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw59562&Submit=Search>_
>
>
>
> ACL Hashes calculated during config migration are wrong
>
> _CSCtw60220
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw60220&Submit=Search>_
>
>
>
> Port Address Translation (PAT) causes higher CPU after upgrade
>
> _CSCtw63996
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw63996&Submit=Search>_
>
>
>
> Page fault traceback with thread name "pix_flash_config_thread".
>
> _CSCtw71420
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw71420&Submit=Search>_
>
>
>
> ASA 5585-X does not provide aggregate system CPU load value via SNMP
>
> _CSCtw75613
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw75613&Submit=Search>_
>
>
>
> ASA: Traceback in Unicorn Admin Handler when making DAP changes via ASDM
>
> _CSCtw78059
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw78059&Submit=Search>_
>
>
>
> print warning if interface in logging host cmd conflicts with routes
>
> _CSCtw78415
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw78415&Submit=Search>_
>
>
>
> ASA may reload with traceback in Dispatch Unit related to WAAS inspect
>
> _CSCtw84007
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw84007&Submit=Search>_
>
>
>
> ASA does not recognize IPv6 VPN filter access-list for AnyConnect client
>
> _CSCtw84087
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw84087&Submit=Search>_
>
>
>
> IKEv2: ASA does not re-establish more than one SA after disconnect
>
> _CSCtw89522
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw89522&Submit=Search>_
>
>
>
> Cut-through proxy - users unable to log in
>
> _CSCtw90179
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw90179&Submit=Search>_
>
>
>
> ASA:In a rare corner case ASA may crash while modifying FQDN object/acl
>
> _CSCtw93059
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw93059&Submit=Search>_
>
>
>
> Page fault traceback in crypto_lib_keypair_show_mypubkey_all
>
> _CSCtw95487
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw95487&Submit=Search>_
>
>
>
> ASA mem leak w/EZVPN when Subject DN has Multiple C,O,OU,CN fields.
>
> _CSCtx01251
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx01251&Submit=Search>_
>
>
>
> ASA: May traceback in DATAPATH during capture
>
> _CSCtx03464
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx03464&Submit=Search>_
>
>
>
> Standby ASA traceback in DATAPATH-0-1400 or Dispatch Unit
>
> _CSCtx08182
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx08182&Submit=Search>_
>
>
>
> Nas-Port attribute different for authentication and accounting
>
> _CSCtx08346
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx08346&Submit=Search>_
>
>
>
> tunnel-group-preference not respected for AnyConnect 3.0 aggregate_auth
>
> _CSCtx08354
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx08354&Submit=Search>_
>
>
>
> Traceback when memory low and memory profile enabled
>
> _CSCtx10196
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx10196&Submit=Search>_
>
>
>
> Webvpn : Javascript rewrite causing login button to be inactive
>
> _CSCtx11578
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx11578&Submit=Search>_
>
>
>
> ASA does not start DPD when phase 1 up but phase 2 down
>
> _CSCtx16166
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx16166&Submit=Search>_
>
>
>
> ASA may not log syslogs 611101, 605005 for asdm sessions to certain int
>
> _CSCtx25170
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx25170&Submit=Search>_
>
>
>
> Configuring a network object with an invalid range causes traceback
>
> _CSCtx25910
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx25910&Submit=Search>_
>
>
>
> class-map doesn't work after replacing ACL
>
> _CSCtx28628
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx28628&Submit=Search>_
>
>
>
> Clientless - VLAN assign't under group-policy breaks tunneled dflt route
>
> _CSCtx32455
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx32455&Submit=Search>_
>
>
>
> SunRpc: Change from dynamic ACL to pin-hole mechanism
>
> _CSCtx33347
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx33347&Submit=Search>_
>
>
>
> Standby ASA traceback while trying to replicate xlates
>
> _CSCtx36026
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx36026&Submit=Search>_
>
>
>
> VPN session failure due to auth handle depletion
>
> _CSCtx38644
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx38644&Submit=Search>_
>
>
>
> Webvpn: Can't copy & paste in web portal with IE8 and IE9
>
> _CSCtx42643
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx42643&Submit=Search>_
>
>
>
> Received unexpected event EV_REMOVE in state AM_WAIT_DELETE
>
> _CSCtx42746
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx42746&Submit=Search>_
>
>
>
> cut through proxy authentication vulnerability
>
> _CSCtx57829
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx57829&Submit=Search>_
>
>
>
> Syslog 324001 Reason string is missing
>
> _CSCtx58556
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx58556&Submit=Search>_
>
>
>
> ActiveX RDP Plugin fails to connect from WIn7 PC after upgrade to 8.4(3)
>
> _CSCtx62037
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx62037&Submit=Search>_
>
>
>
> "X-CSTP-Tunnel-All-DNS" not properly set in SMP images for split-dns
>
> _CSCtx65353
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx65353&Submit=Search>_
>
>
>
> ASA: 8.4 Page fault traceback while displaying "sh run threat-detection"
>
> _CSCtx69008
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx69008&Submit=Search>_
>
>
>
> ASA: Page Fault traceback in ssh thread when changing IKEv2 config
>
> _CSCtx69018
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx69018&Submit=Search>_
>
>
>
> MSFT KB2585542 breaks cut-thru proxy and IUA
>
> _CSCtx69059
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx69059&Submit=Search>_
>
>
>
> Traceback in Unicorn Proxy Thread under heavy WebVPN load
>
> _CSCtx69498
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx69498&Submit=Search>_
>
>
>
> Traceback when Converting ACL Remarks of 100 Characters
>
> _CSCty11414
> <http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCty11414&Submit=Search>_
>
>
>
> ASA Crashes or Simply Reloads With Signal 11 in Unicorn Proxy Thread
>
>
>
> On 3/26/2012 7:09 PM, Ryan West wrote:
>
> Thanks for looking, up for a maint window and look what I find from the bug feed:
>
> Bug Id: CSCty32412
> Headline: ASA: Anyconnect u-turn to ipsec tunnel fails after upgrade to 8.4.3.1
> Description: Symptom: ASA after a upgrade to 8.4.3.1 or later, anyconnect traffic that will uturn (hairpin) to a ipsec lan to lan tunnel is dropped. The show asp drop shows the following reason: Expired VPN context (vpn-context-expired) No log message is generated for the drops. Conditions: Anyconnect client uturns into a ipsec lan to lan tunnel. Workaround: 1) downgrade to 8.4.3 2) Use ipsec vpn client as a temporary workaround
> Status: Assigned
> Last Modified date: 2012-03-25 18:09:13.0
> Url:https://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty32412 <https://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty32412>
>
> Listed as a sev1.
>
> -ryan
>
> -----Original Message-----
> From: Jay McMickle [mailto:jay.mcmickle_at_yahoo.com]
> Sent: Sunday, March 25, 2012 4:56 PM
> To: Ryan West
> Cc: CCIE Lab
> Subject: Re: OT: Remote Access VPN 8.4(2)+
>
> I'm not in front of an ASA, but I don't believe you need the out,out nat. That's mainly for DNS rewrite.
>
> Have you applied "permit same-security traffic intra"? If the hairpin VPN was working prior to the upgrade, I doubt it's that. Next, I thought of proxy-arp, but you mentioned that's been done. The only other item could be your 8.4 equivalent of no-nat.
>
> What does your nat statement look like for the VPN subnets?
>
> Regards,
> Jay McMickle- CCNP,CCSP,CCDP
> Sent from iJay
>
> On Mar 25, 2012, at 2:10 PM, Ryan West<rwest_at_zyedge.com> <mailto:rwest_at_zyedge.com> wrote:
>
>
> Before I go the TAC route, I'm wondering if anyone has come across this one. I was running 8.4(1)11 and had fully migrated all NAT rules to working 8.3+ versions. After the upgrade to 8.4(3), I ran into issues with proxy-arp, which have been solved. Remote access VPNs with destinations across site to site tunnels is where I'm stuck. A twice nat (outside,outside) makes sense to me, but does not work. The previous method of no nat that translates into a twice nat is also failing.
>
>
>
> Has anyone come across this type of config and can post a sanitized snippet for the twice nat?
>
>
>
> For illustration, let's say my ip local pool is 10.1.1.0/24 and the fw has a site to site tunnel to 10.1.2.0/24. Assume that I have same-security permit intra-interface already configure as well. I'll post configs later.
>
>
>
> Thanks!
>
>
>
> -ryan
>
>
>
> Sent from handheld
>
>
>
>
>
> Blogs and organic groups athttp://www.ccie.net
>
>
>
> ______________________________________________________________________
>
> _ Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> Blogs and organic groups athttp://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 26 2012 - 21:20:44 ART

This message: [ Message body ]
Next message: amin: "Compare firewall brands"
Previous message: Ryan West: "RE: OT: Remote Access VPN 8.4(2)+"
Maybe in reply to: Ryan West: "OT: Remote Access VPN 8.4(2)+"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

This archive was generated by hypermail 2.2.0 : Sun Apr 01 2012 - 07:56:52 ART