- Bronze, 100 points or more
Hi All... I'm having a strange problem.
We recently migrated all of our Lan to Lan VPNs from a 7206 with an ISA card over to our ASA 5520 firewalls. There are just a handful of users that are experiencing a strange issue.
We use Cisco VoIP and our employees have an IP phone that they use over the VPN. With the old setup with the VPNs connecting to the 7206, we never had any issues, it was rock solid and always worked. Ever since we migrated to the ASA, the phones spend probably 90% of the time trying to reregister with Call Manager (10.1.100.0 or 10.1.101.0). Also, some are able to make and recieve calls just fine, while a few others can hear the other people, but they can't talk to people. I wonder if somthing isn't messed up with the nat exclusion? They also have problems with SAs that time out. Example: VPN host: 10.200.218.101 has an SA with 10.220.22.0 and 10.1.1.0.... When 10.220.22.0 times out, the only way to get that SA to come back up again is to reset the VPN connection. It's weird. All of the PIXs have the same config, just the 10.200.x.0 ip is changed. Many of them are behind nat devices (home routers etc), but this was never a problem before with the 7206 setup.
Below is the config for the ASA as well as the 7206 for a sort of Before and After comparision. I will attach a PIX501 config in a seperate post.
Another issue... when we migrated to the ASAs for the VPNs, I implemented EasyVPN on as many remote PIXs as possible (about 90 or so). There are a few that will just randomly not connect to the ASA. The ASA will show the peer trying to connect, but will show a log entry similar to: Peer= <Ip>; no match found, removing peer. It will show that a few times, then all of a sudden Phase 1 will complete and all will be fine. Any ideas what could be causing that??
What a headache! I'd appreciate any help you could give. Thanks.
crypto isakmp policy 1
crypto isakmp key <key> address 0.0.0.0 0.0.0.0
crypto ipsec transform-set tangoset esp-des esp-md5-hmac
crypto dynamic-map tangomap 10
set transform-set tangoset
crypto map tangotrans 10 ipsec-isakmp dynamic tangomap
ip address ...
ip access-group 197 in
no ip redirects
no ip proxy-arp
rate-limit input access-group 196 128000 8000 8000 conform-action transmit exceed-action drop
rate-limit output access-group 196 128000 8000 8000 conform-action transmit exceed-action drop
ip route-cache flow
no ip mroute-cache
crypto map tangotrans
crypto ipsec transform-set mySET esp-3des esp-md5-hmac
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto dynamic-map myDYN-MAP 5 set reverse-route
crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
crypto isakmp nat-traversal 20