VPN Tunnel (site-2-site) up, but no data flows

Unanswered Question

I have the following setup:


PIX 515E with 7.2(3) HQ Site

ASA 5505 with 7.2(2) Remote Site


I experiencing when 1 of my site-2-site tunnels goes down (I have 8 tunnels at HQ) and comes up again, then no data is flowing.


I narrowed it down to that no data is getting encapsulated or encrypted at HQ when this problem occurs:


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 5103, #pkts decrypt: 5103, #pkts verify: 5103

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0


local crypto endpt.: *

remote crypto endpt.: *


path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: DC43FC01


While im having trouble with this 1 tunnel, all my other tunnels are working fine.


I tried the following with no luck to solve the problem:


Reloaded the remote ASA 5505


Reapply the crypto map (HQ):

crypto map outside_map interface outside


Clearing the SA's (HQ):

clear crypto isakmp sa

clear crypto ipsec sa


Removed the pre-shared key at HQ and re-applied it.


The only way I was able to resolve the issue was to reload the PIX (HQ)


After i reloaded the PIX (HQ) I noticed that the PIX now was "initiator" as when the tunnel did not work the pix was "responder" in terms of doing:

show crypto isakmp sa


I have checked that "interresting traffic" at both ends are the same.


I have experienced this problem 2 times now with 6 month's in between.


Any kind of help would be appreciated, since it's not a good solution to reload the PIX (HQ) when this problem occurs - hence all my other tunnels goes down.


Let me know if configs are needed.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
a.alekseev Tue, 07/08/2008 - 08:39
User Badges:
  • Gold, 750 points or more

show crypto isakmp policy on both sides

try to enabe "crypto isakmp keepalave 10" on both sides.

Thanks both for quick reply's!


I dont think the IOS version is a problem, since I have 3 other remote sites with same version 7.2(2) which hasn't got the same problem.


My isakmp policy's are the same, even though I have 2 policy's on my HQ PIX (I think the 2nd policy is a default one):


crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400


crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


And only 1 policy on my remote ASA 5505:


crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400


I will try with enabling the isakmp keepalives - but can you explain how that should solve the problem ?


As I understand, the keepalives job, is only to keep the tunnel up, even though there's no traffic, right ?

Hi again,


Just read a bit about isakmp keepalives, they are enabled by default:


"IKE keepalives are enabled by default. To

disable IKE keepalives, enter the no form of the isakmp command"


I checked both sites, and they are enabled as default, which means, they also were enabled when I experienced the problem - so it must be something else giving me headache...

a.alekseev Wed, 07/16/2008 - 22:44
User Badges:
  • Gold, 750 points or more

your configuration is correct.


1. you can try upgrade software to the same version.


2. on remote

no crypto ipsec transform-set ESP-AES-256-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 10 match address outside_map_10

crypto map outside_map 10 set peer xxx.xxx.xxx.xxx

crypto map outside_map 10 set transform-set ESP-AES-256-SHA

a.alekseev Thu, 07/17/2008 - 04:07
User Badges:
  • Gold, 750 points or more

and do correction on HQ,

use only one Transform Set for the remote

Hi Aleksey


It seemes like my problem is solved (I havent able to reproduce the error exactly as its in production atm)


However, I changed the HQ site to only have 1 transform set in the cryptomap:


crypto map outside_map 10 set transform-set ESP-AES-256-SHA


instead of:


crypto map outside_map 10 set transform-set ESP-AES-SHA ESP-AES-256-SHA


But shouldnt it work anyway, with trying first with the first transform set and then the second one.. ? Im happy that i might have solved it, but would like to know exactly what was wrong in my config.


Thanks for your help.


lmanaughkcc Sun, 07/20/2008 - 17:43
User Badges:

I am having the exact same issue. My HQ has 2 ASA 5520's standby failover mode. The remote site that gets sick is an ASA 5505. It is on 7.2 (3) and HQ is on 8.0 (3). No other sites have this issue and I have lots of them running all sorts of IOS with some PIX and some ASA. I have had the remote site running for more than a year and it took me awhile just find out that I had to clear crypto ipsec sa ip address on hq to get the tunnel back up.

The remote site can talk through other tunnels but not back to HQ!


A tech suggested that I change lifetime to half day like you have. But this will take some doing because I have many other sites to set that on (unless someone can tell me how to create two policies on a single ASA one to be used for sick site) I have only one transform set and still have the issue.


Next time on your HQ PIX just reset the bad tunnel.

clear crypto ipsec sa public-ip-of-remote site

Clear Crypto isakmp sa public-ip-of-remote site

It won't work to try and reboot the remote firewall or reset the tunnel at that end because the HQ firewall thinks everything is fine. At least that is what my syslogs are showing in my case.

Any ideas on this would be welcome!

Actions

This Discussion