Site to Site ISAKMP problem ??

Unanswered Question
Feb 19th, 2007

We have a new ASA5510, which is set up in a lab configuration. I am testing a S2S configuration with a linksys vpn router.

I have two tunnels configured on the linksys. And each of them come up and connect.

But once I start sending traffic ( continuous ping) from workstation on private side of linksys I get timeouts about every 4-5 pings.

If I turn on "debug crypto isakmp 127", I see what looks like continuous ISAKMP negotiations that do not stop.

This is the first Cisco firewall that I have attempted to set up VPN access.

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kaachary Tue, 02/20/2007 - 07:23

Hi,

I would suggest you to check the following :

1: Make sure PFS is disabled on both ends.

2: Check the lifetimes for phase 1 and 2 , they should match.

3: Is the encryption domain/crypto ACL matching.

Please post the relevant config, if posiible.

*Please rate if this helped.

-Kanishka

will74103 Tue, 02/20/2007 - 07:39

Is there a problem with PFS?

Of the items you mentioned that is the only thing that comes up.

Kamal Malhotra Tue, 02/20/2007 - 07:45

Hi,

We have seen with some non-Cisco devices, it is manadatory to have the PFS enabled and in some cases it would just not work with PFS. So, except those specific non-Cisco devices we would always suggest having the PFS disabled.

Moreover, unless we look at the debugs we can not confirm whether PFS is the problem or something else. On the whole, we can say that we need to confirm that the configuration matches on both the devices. In many cases I have personally seen that the Linksys device is misconfigured that causes the problems. So please make sure that the phase 1 and phase 2 policies like encryption, hash, lifetimes etc match. Crypto ACLs should be the reflection of each other. Peer IP should be correct on each end and PFS should be disabled.

HTH,

Please rate if it helps.

Regards,

Kamal

will74103 Tue, 02/20/2007 - 14:51

Not much luck so far. I turned off pfs and double and triple checked that my transform and IPSec setting on the Linksys match.

My crypto map has an entry for both subnets with the inside address as the first address.

One of the tunnels comes and works fine. Negotiates ISAKMP and extended pings no problem.

I can initiate the second tunnel (from the linksys) and it comes up. The problem begins as soon as I try to send traffic thru the second tunnel. Several pings will get thru and then a couple of time outs. The process repeats until I stop the ping on the second tunnel.

It looks like each ping packet on the second tunnel causes ISAKMP to re-initialize. I plan on calling support tomorrow if no one has any ideas.

Thanks again for your assistance.

Actions

This Discussion