- - Symptom:
The following DAP error is seen in the "debug dap trace" + "debug dap errors" output on the ASA, when connecting from a Client PC using DAP:
---snip---
DAP_ERROR: Username: , dap_add_csd_data_to_lua: Unable to load Host Scan data: [string "dapxlate_lua"]:559: bad argument #1 to `find' (string expected, got nil)
DAP_ERROR: Username: , ERROR selecting DAP records
DAP_TRACE: Username: , Action set to terminate
DAP_TRACE: Username: , DAP_close:
---snip---
The AnyConnect client presents an error like the following:
---snip---
Login denied. Your environment does not meet the access criteria defined by your system administrator
---snip---
Conditions:
This appears to have been introduces in ASA version 8.2.2.19. ASA version 8.0.5.19 is not affected. ASA version 8.3.1.9 might be affected as well.
There must be DAP policies defined on the ASA.
Workaround:
There is not a work around at this time.
- -
Symptom:
Outbound encryption traffic in an IPsec tunnel may fail, even if inbound decryption traffic is working.
Conditions:
This issue has been observed on an IPsec connection after multiple rekeys, but the trigger condition is not clear. The presence of this issue can be established by checking the output of "show asp drop" and verifying that the Expired VPN context counter is increasing for each outbound packet sent.
Workaround:
None.
Further Problem Description:
- - Symptom:
When testing 100 site to site vpn connections on an ASA running 8.2.1 one or two tunnels would not encrypt traffic.
The connections were established and dropped multiple times before seeing this issue.
Conditions:
"sho asp table vpn-context detail " shows duplicate crypto table entries. Two current and one left over from previous connection.
This creates the problem of the traffic not being encrypted.
Workaround:
1. Reload ASA.or
2. Upgrade to get the fix for both CSCtb53186 and CSCtd36473. CSCtd36473 is a defect with a very similar symptom but different root cause.
- -
Symptom:
When upgrading an ASA from version pre-8.3 to version 8.3(2), policy nat statements will be migrated to the new NAT configuration style. Upgrading to version 8.3(2) will add the 'unidirectional' keyword to the migrated manual nat entries. Some traffic matching these manual nat translations might fail and produce the syslog "%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows". In most cases, the 'unidirectional' keyword is not necessary, and can be removed to resolve a problem.
Conditions:
An upgrade must be performed from ASA version pre-8.3 to version 8.3(2). The pre-8.3 configuration must incude policy nat rules such as below:
----------------------
access-list nonatinside extended permit ip 10.10.0.0 255.255.0.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonatinside
----------------------
Post-migration this nat statement will be like this:
----------------------
object obj-10.10.0.0
subnet 10.10.0.0 255.255.0.0
object obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (inside,any) source static obj-10.10.0.0 obj-10.10.0.0 destination static obj-192.168.1.0 obj-192.168.1.0 unidirectional
------------------------
Traffic arriving inbound from the outside that matches this config might fail and generate the following syslog:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src Outside:192.168.1.5 dst inside:10.10.5.20 (type 8, code 0) denied due to NAT reverse path failure
Workaround:
Remove the 'unidirectional' keyword from the manual nat statement.
- - Symptom:
Adaptive Security Appliance (ASA) 5505 with the 512MB memory upgrade will not reboot properly and may become unresponsive during normal operation.
Conditions:
ASA5505 has the 512MB memory upgrade installed.
Workaround:
A temporary recovery may be achieved by leaving the unit powered off for more than a minute. To fully stabilize the box, downgrade the memory back to 256MB.
Tweet This
Share on Facebook
Digg This
Save to delicious
Stumble it
RSS Feed
