Guest

Preview Tool

Cisco Bug: CSCvw01375 - DOC: ASA: /31 subnet mask must not be used in the "ip local pool" command

Last Modified

Oct 08, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12

Description (partial)

Symptom:
When you configure two IP's in the local pool and use /31 subnet mask, the ASA shows no available addresses because they are network and broadcast addresses. "IP local pool" command must not be configured with /31 subnet mask.

ip local pool TPMR_POOL2 10.227.246.76-10.227.246.77 mask 255.255.255.254

Error Message: The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.
The following message was received from the secure gateway: No assigned address

Debug Logs:

webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'
Processing CSTP header line: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'
Failed to update with address info: 0.0.0.0
cstp_util_address_ipv4_accept: no address?!?
cstp_util_address_ipv6_accept: No IPv6 Address
No assigned address
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL

Conditions:
When you configure two IP's in the local pool and use /31 subnet mask, the ASA shows no available addresses because they are network and broadcast addresses. "IP local pool" command must not be configured with /31 subnet mask.

ip local pool TPMR_POOL2 10.227.246.76-10.227.246.77 mask 255.255.255.254

Error Message: The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.
The following message was received from the secure gateway: No assigned address

Debug Logs:

webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'
Processing CSTP header line: 'X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.'
Failed to update with address info: 0.0.0.0
cstp_util_address_ipv4_accept: no address?!?
cstp_util_address_ipv6_accept: No IPv6 Address
No assigned address
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.