ASA5540 to ISA2006 IPSec VPN periodically drops

Unanswered Question
May 13th, 2009

SIte 1 NAT'd clients behind ASA5540 connect over IPSec tunnel to Site 2 behind ISA2006 using pre-shared Key

* Able to establish the Tunnel

* Able to ping both ways

* Able to join Win domain at Site 1 from Client at Site 2

Tunnel periodically drops (15 minutes~ish)

Site 2 Client loses ping to SIte 1 altogether

Site 1 Client ping to Site 2 fails on 1st, then succeeds on next few

Then Site 2 can again ping Site 1

Seeing 713122 (keep-alives configured on but peer does not support keep-alives...) on ASA, but cannot find where to fix on ISA or disable on ASA (if that's even the right approach)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jamesl0112 Wed, 05/13/2009 - 14:44

Which site is the ASA, and which site is the ISA?

Can Site 2 bring the tunnel back up by pinging, or is it the case that it can only be brought up by Site 1?

Can you post up any more config / debugs?

I recently had a multi-vendor tunnel that kept dropping and only one end could bring it back up - turned out it was because PFS was enabled at the non-Cisco end, whereas at the Cisco end it is disabled by default.

Assuming PFS has not been explicitly configured on the ASA you could try disabling it on the ISA (I believe this is in properties -> phase II).

kevin.mcdermott... Thu, 05/14/2009 - 04:01

Sorry, looks like I confused my sites in the description...

Site 1 = ISA2006

Site 2 = ASA5540

* Able to establish the Tunnel

* Able to ping both ways

* Able to join Client at Site 2 (behind ASA) to Win domain at Site 1 (behind ISA)

Tunnel periodically drops (15 minutes~ish)

- Client behind ASA loses ping to ISA Site altogether

- ISA Client ping to ASA Site fails on 1st, then succeeds on next few

- Then ASA Site can again ping ISA Site

- I can only get the tunnel to re-establish by pinging from ISA Side back to ASA side

PFS has been explicitly enabled on both ends

Would be happy to post config/debug info... what helps?

jamesl0112 Sun, 05/17/2009 - 09:31

I would post the crypto map & isakmp configuration from the ASA, along with the ACL that defines interesting traffic. Then go into the properties of the tunnel on the ISA and make a note of the P1 and P2 settings there.

You could try debugs like debug crypto ipsec & debug crypto isakmp.

This is assuming that the internet connection at both sites is stable of course :-)

kevin.mcdermott... Mon, 05/18/2009 - 04:18

ASA Side:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set BV esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside-untrust_map 1 match address Outside-untrust_1_cryptomap

crypto map Outside-untrust_map 1 set pfs

crypto map Outside-untrust_map 1 set peer <>

crypto map Outside-untrust_map 1 set transform-set ESP-3DES-SHA

crypto map Outside-untrust_map 1 set security-association lifetime seconds 28800

crypto map Outside-untrust_map 1 set security-association lifetime kilobytes 4608000

crypto map Outside-untrust_map 1 set reverse-route

crypto map Outside-untrust_map interface Outside-untrust

crypto isakmp enable Outside-untrust

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

ISA Side:

PhaseI:

Encryption Algorithm: 3DES

Integrity Algorithm: SHA1

DH Group: Group 2 (1024 bit)

Auth & Generate New Key: 86400 Seconds

PhaseII:

Encryption Algorithm: 3DES

Integrity Algorithm: SHA1

New Key Every 4608000 Kb, 28800 Sec

Use PFS DH Group 2 (1024 Bit)

ACL:

access-list inbound extended permit ip <> 255.255.255.0 <> 255.255.255.0

access-list Outside-untrust_1_cryptomap extended permit ip <> 255.255.255.0 <> 255.255.255.0

access-list Inside-trust_nat0_outbound extended permit ip <> 255.255.255.0 <> 255.255.255.0

access-list Inside-trust_access_in remark External Web Access

access-list Inside-trust_access_in extended permit tcp <> 255.255.255.0 any object-group DM_INLINE_TCP_1

access-list Inside-trust_access_in extended permit ip <> 255.255.255.0 <> 255.255.255.0

kevin.mcdermott... Mon, 05/18/2009 - 05:58

And this is what I see after it drops:

4|May 18 2009|09:48:28|713903|||||IP = <>, Error: Unable to remove PeerTblEntry

3|May 18 2009|09:48:28|713902|||||IP = <>, Removing peer from peer table failed, no match!

6|May 18 2009|09:48:11|713219|||||IP = <>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

6|May 18 2009|09:48:06|713219|||||IP = <>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

6|May 18 2009|09:48:01|713219|||||IP = <>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

5|May 18 2009|09:47:56|713041|||||IP = <>, IKE Initiator: New Phase 1, Intf Inside-trust, IKE Peer <> local Proxy Address <>, remote Proxy Address <>, Crypto map (Outside-untrust_map)

jamesl0112 Wed, 05/20/2009 - 08:21

Sorry for the delay - at first glance it would appear that the P1 & P2 settings match, and I don't have any immediate ideas unfortunately... perhaps someone else would like to jump in?

You could try enabling periodic dead peer detection at both ends, possibly?

crypto isakmp keepalive seconds [retries] [periodic | on-demand]

Actions

This Discussion