Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
0
Helpful
5
Replies

Dropouts on IPSEC between Cisco 87x and ISA 2006

p-vincent
Level 1
Level 1

‎12-28-2009 02:42 AM - edited ‎02-21-2020 04:26 PM

Hi all,

We are connecting several sites to our customers HQ through ipsec tunnels. On the remote sites we use Cisco 87x routers and at the HQ we use an ISA 2006 server.

Vpn tunnels build themselves quickly and for 90% they are working very good. But now and then the tunnel drops its connection and we have a about 10 - 30 timeouts before the tunnel rebuilds itself. In the logging we receive the following messages:

%CRYPTO-4-IKMP_NO_SA: IKE message from x.x.x.x has no SA and is not an initialization offer

Our crypto settings on the Cisco routers are the following:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <removed> address x.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map XX_XX 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-3DES-SHA1
set pfs group2
match address 150

ISA IPSEC configuration:

Phase I:

Encryption algorithm: 3DES

Integrity algorithm: SHA1

Diffie-Hellman: Group 2

28800 seconds

Phase II:

Encryption algorithm: 3DES

Integrity algorithm: SHA1

Generate a new key every: 3600 seconds

Use Perfect Forward Secrecy (PFS):

Diffie Hellman: Group 2

We have made several similar IPSEC VPN connections before with Cisco and ISA (2004), using the same configuration and we have never experienced instable connections.

Many thanks in advance for your help.

Peter

Labels:
0 Helpful
5 Replies 5

noneckturtle
Level 1
Level 1

‎12-30-2009 01:33 AM

Hi Peter,

Can you post your complete config? I'm trying to get a similar setup working with a Cisco 877-M and ISA 2006 but can't even get the tunnel to connect.

Thanks,

David

0 Helpful

p-vincent
Level 1
Level 1
In response to noneckturtle

‎12-31-2009 07:06 AM

Hi David,

On the Cisco side you should be able to get it working with this (in my config the 10.x.16.0 is the local subnet, and the 128.x.x.0 is the remote subnet):

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key address x.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map XX_XX 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-3DES-SHA1
set pfs group2
match address 150
!
interface Dialer0
...
crypto map XX_XX
...
!
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 deny   ip 10.x.16.0 0.0.0.255 128.x.x.0 0.0.0.255
access-list 100 permit ip 10.x.16.0 0.0.0.255 any

access-list 150 permit ip 10.x.16.0 0.0.0.255 128.x.x.0 0.0.0.255
access-list 150 permit icmp 10.x.16.0 0.0.0.255 128.x.x.0 0.0.0.255
access-list 150 permit icmp 128.x.x.0 0.0.0.255 10.x.16.0 0.0.0.255

If you have your Cisco router configged like this, then the problem resides on your ISA side. Please check if it works with above config on your Cisco side, if not I can send you some screens from our ISA config.

Untill now I was not able to find a solution for the Dropouts on our VPN tunnels.

We use the following IOS on our routers: c870-advsecurityk9-mz.124-15.T9 is there any know bug on this version that can cause my dropouts?

Best regards and happy newyear!

Peter

0 Helpful

noneckturtle
Level 1
Level 1
In response to p-vincent

‎01-03-2010 12:51 AM

Hi Peter,

Thanks for the config.

I'm still having problems and now I suspect that they are on the ISA end.

A bit of background - I also publish OWA via RPC over HTTPS and connect via Outlook 2007. I found several articles that say I should have the external ip address of the Cisco added into the properties for the Cisco network in ISA. As soon as I add this and apply the setting I am unable to access Exchange2007 OWA (via Internet Explorer or Outlook), unable to connect via PPTP vpn.

The interesting part is that once I add in that ip to the Cisco network object within ISA the session monitor tells me that the ipsec tunnel is connected to the branch. But I cannot ping from ISA to the Cisco network.

Can you send through some more details about how you have the ISA end configured?

Thanks,

David

0 Helpful

p-vincent
Level 1
Level 1
In response to noneckturtle

‎01-04-2010 08:08 AM

Hi David,

We do not add the External IP of our Cisco router in the properties of ISA.

Properties on our ISA per VPN:

General:

Name, Description and enabled.

Addresses:

Start address - End Address

10.x.x.0 10.x.x.255

Connection:

Remote tunnel endpoint

"External ip from your Cisco"

Local VPN gateway address

"External ip from your ISA"

Ipsec Settings: see my first post on this topic.

Authentication:

Use pre-shared key for authenticaton

"pre shared key"

That makes it work on our side so I hope this helps.

You can check the status of your vpn tunnel on the Cisco site by "show crypto isakmp sa" and "show crypto ipsec sa".

Best regards,

Peter

0 Helpful

p-vincent
Level 1
Level 1

‎02-01-2010 08:05 AM

Can anybody help me out on this one?

Thanks, Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents