Cisco Bug: CSCta10530 - ASA - management sockets are not functional after failover via vpn
Nov 08, 2016
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: We noticed strange behavior of the management interface after failover. Apparently some sockets are closed or not functional after failing from one unit to the other. The symptoms are for example, ssh does not work any more, or http does not work. In the logs we see connection closed due to SYN timeout: ASA# sh log | i 192.168.0.2 Jun 08 2009 11:50:17: %ASA-6-302013: Built inbound TCP connection 41844293 for inside:192.168.0.2/1661 (192.168.0.2/1661) to identity:192.168.1.1/22 (192.168.1.1/22) (useri) ASA# sh log | i 192.168.0.2 ASA# sh log | i 192.168.0.2 Jun 08 2009 11:50:26: %ASA-6-302014: Teardown TCP connection 41843606 for inside:192.168.0.2/1660 to identity:192.168.1.1/22 duration 0:00:30 bytes 0 SYN Timeout (useri) You can verify the status of the socket via show asp table socket. For example before failover we see the following: TCP 03cef8c4 192.168.1.1:23 0.0.0.0:* LISTEN TCP 03cf045c 192.168.1.1:22 0.0.0.0:* LISTEN Here the https socket on management interface is not listening although the correct statement is tehre: ASA# sh run http http server enable 10443 http 192.168.0.0 255.255.255.0 inside http 192.168.0.0 255.255.255.0 mgmt After failover: DUNASA1/pri/act# sh asp t so Protocol Socket Local Address Foreign Address State SSL 064d2624 192.168.1.1:10443 0.0.0.0:* LISTEN TCP 0bb0405c 192.168.1.1:23 0.0.0.0:* LISTEN Here the https is now open but the ssh is closed. Conditions: not clear yet.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases