ASA 8.x – IAS downloadable ACL SSL bug

I was recently configuring an ASA running 8.x software to authenticate and download ACL’s for remote-access users from microsoft IAS. During my testing I changed one of the ACE’s but accidentally used incorrect syntax (tried to match a port number on an “ip” access list):

ip:inacl#100=permit ip 10.1.0.0 255.255.255.0 host 10.2.0.1 eq 3389

Which should have read

ip:inacl#100=permit tcp 10.1.0.0 255.255.255.0 host 10.2.0.1 eq 3389

The end result was that my authentication denied and I received this error on the ASA:

%ASA-3-109032: Unable to install ACL ‘AAA-user-username-ABC12345’, downloaded for user username; Error in ACE: ‘permit ip 10.1.0.0 255.255.255.0 host 10.2.0.1 eq 3389’

No biggie, fixed the syntax and tried to logon again. But then I recieved this interesting error:
%ASA-4-716023: Group <groupName> User <username> IP <x.x.x.x> Session could not be established: session limit of 2 reached.
%ASA-4-716007: Group <groupName> User <username> IP <x.x.x.x> WebVPN Unable to create session

I thought maybe I had some previous sessions still connected:

ASA# sh uauth
Current    Most Seen
Authenticated Users       0          1
Authen In Progress        0          0

ASA# sh vpn-sessiondb webvpn
INFO: There are presently no active sessions of the type specified

It appears that if a SSLvpn connection fails due to an incorrectly configured downloadable ACE it locks out that session. I couldn’t find a command that would return the sessions back to the available pool and had to reload the ASA to correct it.

Now I doubt you would see this issue in a production environment but if anyone knows of a way to correct this without reloading I would love to know.

Advertisements

11 thoughts on “ASA 8.x – IAS downloadable ACL SSL bug

  1. That’s the same error I get on the ASA when I hit the maximum SSL Session limit trying to log in a third session through AnyConnect.

    Only two concurrent WebVPN sessions are allowed by the vanilla license… which is where that “session limit of 2 reached” came from in my situation.

    Not sure if that applies to you in this case… but at least the errors are similar.

  2. Ben,

    I understand what the error is meant to mean. but in this case there aren’t actually any sessions open as demonstrated by the output of sh vpn-sessiondb webvpn.

    Thanks

    reloadin10

  3. I have the same Bug in my production environment. We have a license for 10 Webvpn users and the logs give me that the Session could not be established: session limit of 10 reached.

    I checked the current active session but nobody is using it.

    Someone know how to fix this whitout rebooting the ASA?

  4. I have the same thing, it occurred after I started fine-tuning the policies on the ASA to avoid superfluous prompts. Is there an IOS upgrade that fixes this?

  5. Thanks for that Dima.

    I had looked around for this bug but couldn’t find it.

    Good Spotting

    reloadin10

  6. Alexey,

    If you have an ASA affected by this bug, you should be entitled to a free upgrade from cisco tac.

    This is not the place to be asking for ASA code.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s