I'm having a strange issue with remote access VPN connectivity on our ASA cluster.
Normal site-to-site tunnels and AnyConnect connections works just fine. However, a special ipsec ikev1 tunnel does not. It establishes, and stays up, but the client (in this case an Avaya VPN Phone) does not either recieve a client address, or it doesn't ask for one (bit unsure who to blame).
This image shows the connection when it's established. Notice that the Assigned IP address is blank. Bytes TX being "0" is quite natural, as the networks on the inside have no client to route to.
I tried debugging this via ASDM, but to no luck. I'm not confident enough with the CLI to do a console debug, as we're using the "notification" keyword quite heavily to match every ACL we have.
Suggestions?
This took some work to figure out..
First of all - the reason that the client (or phone, to be precise) didn't get an IP address was because of a misconfiguration of the phone. It didn't have a "Config IKE" flag set, which means that it basically discarded any configuration pushed from the ASA.
When I fixed this, another major problem appeared. It turns out that our AnyConnect clients did not work at all. We recently upgraded to ASA 8.4.4 in an attempt to solve another issue, and this version brings a new rule checker against NAT rules so that they don't collide with standby IP addresses:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bcf110.shtml
This is a major showstopper for us, as we have bajillion of subnets behind the firewall in a big MPLS network, where the VPN clients needs connectivity. Creating new host/network groups just to not collide with the standby IP's are at least two days of work for me, so I'm going to downgrade to ASA 8.4.3 until Cisco can find a better solution for this.