Site-to-Site VPN, ASA 5505 and 876 router

michaelvantil · ‎06-26-2007

Hi all,

Were using a s2s vpn between two offices, using a 876 DSL router and an ASA firewall.

The VPN drops about 15 times a day, while Internet is still going strong.

We updates to IOS on the 876 to:

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4)

It had a much older version.

Im wondering if using two ASA's would be better than using a router and an ASA to establish a s2s vpn.

Im looking for some input from the experts...

Best regards

jaffer_sathik2010 · ‎06-27-2007

Hi,

You can choose any products as you like(Router,Pix,ASA,vpn concentrator). All will do fine as per the design and based on your network setup.

The question here is, why vpn drops about 15 times a day? since you have not posted the config details, I would suggest you to increase the value of 'isakmp keep alive' parameter.

ggilbert · ‎06-27-2007

Hello Michael,

Whatever it is, as mentioned in the previous by Jaffer, the tunnel should not get dropped.

I would like to see the output of the following from the ASA

sh vpn-sessiondb l2l

And "sh cry ipsec sa" from the router and the ASA after the tunnel gets established.

We can go from there, after that.

Thanks

Gilbert

michaelvantil · ‎06-27-2007

Hi,

@jaffer.

I changed:

---

crypto isakmp policy 10

lifetime 28800

---

to

---

crypto isakmp policy 10

lifetime 86400

---

Funny thing is when I do a sh run, the lifetime is not shown anymore.

So I dont know if it is using the new value.

@gilbert

Doing a sh vpn-sessiondb l2l results in the following:

Session Type: LAN-to-LAN

Connection : xx.127.123.153

Index : 2 IP Addr : xx.127.123.153

Protocol : IPSecLAN2LAN Encryption : 3DES

Hashing : SHA1

Bytes Tx : 94933 Bytes Rx : 54618

Login Time : 05:23:16 UTC Wed Jun 27 2007

Duration : 0h:21m:51s

Filter Name :

I included the other results in the attachments

Best regards and thank you both for taking the time to respond.

ggilbert · ‎06-27-2007

sh cry isa policy - on a router will tell you the DEfault policy and the configured policies along with their lifetimes. :)

If it is default, you would not see that on the configuration.

According the output you sent, the VPN has been up for alomost 21 minutes now and there is a lifetime left for about 30 minutes on the keys.

"debug cry isa 190" "deb cry ipsec 190" from the ASA - "deb cry isa" & "deb cry ipsec" - These two debugs when turned on will tell you when the tunnel is renegotiating or even when the drop happens it will tell you what happens at the time.

Those are lots of debugs, so if you have a syslog server, please send the debugs to the syslog server. And look at the debugs to see when it fails and is there any messages that reveals the failure.

Thanks

Gilbert

ggilbert · ‎06-27-2007

Also, can you copy and paste the output of

sh run all group-policy

Thanks

Gilbert

michaelvantil · ‎06-27-2007

Gilbert,

"sh cry isa policy"

Shows the new timeout perectly, good tip, thx.

So next for me to do is:

On ASA:

"debug cry isa 190"

"deb cry ipsec 190"

On RTR:

"deb cry isa"

"deb cry ipsec"

And have them both log the messsage to a syslog server right?

I'll set one up in the meantime.

Best regards

ggilbert · ‎06-27-2007

So in the group policy, you have an idle timeout of 30 "vpn-idle-timeout 30" - See, if you can change it to something else and if the problem goes away.

Thanks

Gilbert