Site-to-Site VPN tunnel goes down when the Phase 2 IPSec Outbound SA lifetime threshold is reached (ASA 8.4 bug)

If you have recently upgraded to ASA 8.4 or above, you might have come across a VPN behavior where the outbound IPSec SA reaches it’s data lifetime threshold and you have to manually bounce the tunnel to bring it back up.

This happens because of a bug found in the code 8.4(2.240) and 8.6. The bug is such that the IPSec outbound SA in Phase 2 fails to rekey when the ‘data lifetime’ reaches it’s threshold limit (default 4608000). CSCtq57752 is the bug ID which you can lookup in the bug tool kit (requires a CCO login).

Continue reading

Upgrading to ASA 8.4 – ‘No ACL was changed as part of Real-ip migration’

If you have tried to upgrade your ASA to 8.4, you may or may not have come across the most common error, i.e. –

No ACL was changed as part of Real-ip migration

The reason this happens is because of a conflict between the NAT O statement and Static NATs.

Here’s the message I got when the ASA was upgraded to 8.4:-

INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_5_13_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.2(5)13 "
WARNING: 
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1000, "access-group OUTSIDE_ACL..."
WARNING: 
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1001, "access-group INSIDE_ACL ..."
NAT migration logs:
INFO: NAT migration completed.
Real IP migration logs:
 No ACL was changed as part of Real-ip migration

The reason this failed was because it clearly states in the message above that – Continue reading