asa821-k8

[df96]

I have 3 ASA 5505, on the main site one 5505 is running the asa802-k8 software and at the 2 remote office 2 x 5505 with asa821-k8 software.
There are site to site vpn between the offices and the main site and ssl vpn on the main site.
everything is running fine until a few days where it becam impossible to mount the vpn from the remote office to the main site.
are known problems of software mismatch between 821 and 802 ?

 

[PScottC]

What errors are you getting? Did you compare the configs on the remote ASAs before and after the upgrade?

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[df96]

the problem is much more a directionnal problem, it seems that the vpn tunnel can only open from the main site and not from the remote office. the current work around is a permanent ping from the main site to the remote office, but it is not a solution. i have checked the configuration and the vpn tunnel are bidirectionnal...
has anyone encountered this problem ?

 

[df96]

I have updated the 5505 of the main site with the following command:
asdm image disk0:/asdm-621.bin
no boot system disk0:/asa802-k8.bin
boot system disk0:/asa821-k8.bin

But none of the vpn are operationnal anymore, in asdm no interface are enabled for ipsec access. When I try to enable outside interface for ipsec access (neither inside nor outside are checked )
I obtain the following error message

error : [ERROR] crypto isakmp enable outside
IkeReceiverInit, unable to bind to port
and I can't check the outside box.

I have the same result with the command line
crypto isakmp enable outside

 

[unclerico]

have you tried rebooting??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[df96]

Do You mean after the first reboot with the new asa image?
I didnt because I really needed the vpn to be mounted, so I downgrade the image and restart with the asa802...

 

[df96]

I upgrade one more time to asa821, reboot twice, and always getting the folowing error at startup :

..ERROR: IkeReceiverInit, unable to bind to port
*** Output from config line 138, "crypto isakmp enable out..."

has anyone an idea?

 

[df96]

and when rebooting with old asa802 image, i get the folowing :
Configuration Compatibility Warning:
The version 8.2(1)0 configuration may contain syntax that is
not backward compatible with the 8.0(2) image that is loaded.

*** Output from config line 4, "ASA Version 8.2(1) "
.
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 82, "timeout sip-provisional-..."

timeout tcp-proxy-reassembly 0:01:00
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 83, "timeout tcp-proxy-reasse..."
..
no threat-detection statistics tcp-intercept
^
ERROR: % Invalid input detected at '^' marker.
*** Output from config line 163, "no threat-detection stat..."

 

[unclerico]

I would open a case with Cisco TAC.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)