ASA 5505 -> ASA 5520 Site-To-Site Frequent Drops

Answered Question
Feb 3rd, 2010

Hi,

I'm about to drop kick this ASA 5505. Basically what happens is upon install the 5505 connects to the 5520, establishes the tunnel and all is well. Within 10 or 15 minutes, everything drops, and the VPN tunnel refuses to come back up until I reload the 5505. It's ANNOYING. This ASA is in a building that has been closed and is only being used for security so each time this happens I'm standing in a freezing building cussing.

At the 5520, the messages are as follows:

Feb  3 15:28:24 asalicious.ips.k12.in.us Feb 03 15:28:42 EST: %ASA-vpn-6-713219: IP = 70.63.52.210, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb  3 15:28:25 asalicious.ips.k12.in.us Feb 03 15:28:43 EST: %ASA-vpn-6-713219: IP = 70.63.52.210, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
plicate Phase 1 packet detected.  Retransmitting last packet.
Feb  3 15:28:31 asalicious.ips.k12.in.us Feb 03 15:28:49 EST: %ASA-vpn-6-713905: IP = 70.63.52.210, P1 Retransmit msg dispatched to MM FSM

--- Also:

5   IKE Peer: 70.63.52.210
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3
6   IKE Peer: 70.63.52.210
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3

If anyone has any ideas that'd be grand. The darn thing works for litereally 20 minutes and all is peachy -- then DEATH!

Both running identical 8.2 code.

Thanks,

Tim

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 6 years 10 months ago

Hi Tim,

Sorry for the pain, VPN drops are caused by numerous things hence the request for the config as we need to isolate it, for instance, mismatch on configuration could be one of the reasons as the SAs might be negotiated with tunnels that are not quite defined for this particular tunnel. As well the drop might occur due to DPDs being lost on the path or because some IP renewal.

As for the config, I need to see the relevant Crypto ACLs on both sides, relevant NAT exempt rules and relevant Crypto definitions (in this part see if you can post all of the ones included)

Thanks

Ivan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Wed, 02/03/2010 - 12:50

Is there a way for you to get the "show run all" from both appliances? Can you also give some details about the connection type from the 5505?

timothybward Wed, 02/03/2010 - 15:11

Thank you for the reply.

I 5520 config is huge, is there anything in particular you want? I'll have to go out to the site tomorrow and grab the config off the remote ASA. I thought I might be able to get away with not having to post the config because it DOES WORK just once it goes down it never comes back.

The connection is 5505 -> Cable -> internet -> ISP -> 5520.

Thanks again!

Tim

Correct Answer
Ivan Martinon Wed, 02/03/2010 - 15:16

Hi Tim,

Sorry for the pain, VPN drops are caused by numerous things hence the request for the config as we need to isolate it, for instance, mismatch on configuration could be one of the reasons as the SAs might be negotiated with tunnels that are not quite defined for this particular tunnel. As well the drop might occur due to DPDs being lost on the path or because some IP renewal.

As for the config, I need to see the relevant Crypto ACLs on both sides, relevant NAT exempt rules and relevant Crypto definitions (in this part see if you can post all of the ones included)

Thanks

Ivan

timothybward Thu, 02/04/2010 - 04:43

Okay! So I stopped by the site this morning. Here is the config and some output while the tunnel was up, 5505 over cable.

interface: outside

    Crypto map tag: mymap, seq num: 10, local addr: 70.63.52.210

      access-list encrypt permit ip 167.217.160.0 255.255.254.0 any

      local ident (addr/mask/prot/port): (167.217.160.0/255.255.254.0/0/0)

      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      current_peer: 165.138.233.226

      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 70.63.52.210, remote crypto endpt.: 165.138.233.226

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 667FC9E9

      current inbound spi : DE9E4ED4

    inbound esp sas:

      spi: 0xDE9E4ED4 (3734916820)

         transform: esp-aes-192 esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 4096, crypto-map: mymap

         sa timing: remaining key lifetime (kB/sec): (3914999/28790)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x0000003F

    outbound esp sas:

      spi: 0x667FC9E9 (1719650793)

         transform: esp-aes-192 esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 4096, crypto-map: mymap

         sa timing: remaining key lifetime (kB/sec): (3914999/28790)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

asa5505-sch64# show run

: Saved

:

ASA Version 8.2(1)11

!

hostname asa5505-sch64

domain-name ips.k12.in.us

enable password k6ba4ffBJucyFL7e encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 167.217.161.254 255.255.254.0

!

interface Vlan2

nameif outside

security-level 0

ip address 70.63.52.210 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821.bin

ftp mode passive

dns server-group DefaultDNS

domain-name ips.k12.in.us

access-list encrypt extended permit ip 167.217.160.0 255.255.254.0 any

pager lines 24

logging enable

logging buffer-size 1000000

logging buffered informational

logging trap informational

logging asdm informational

logging host outside 167.217.2.60

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm6.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

route outside 0.0.0.0 0.0.0.0 70.63.52.209 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-aes-192 esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address encrypt

crypto map mymap 10 set peer 165.138.233.226

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-192

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns 167.217.3.220

!

dhcpd address 167.217.160.1-167.217.160.2 inside

dhcpd enable inside

!            

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password /RrfNVdJ/j8owCEC encrypted privilege 15

tunnel-group 165.138.233.226 type ipsec-l2l

tunnel-group 165.138.233.226 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 30 retry 10

!

!

prompt hostname context

Cryptochecksum:ff55da1930cd1f55c4f684901027791d

: end

asa5505-sch64# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 70.63.52.209 to network 0.0.0.0

C    70.63.52.208 255.255.255.248 is directly connected, outside

C    167.217.160.0 255.255.254.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 70.63.52.209, outside

asa5505-sch64#

_______________________________


The following is the relevant (I Think) Config portions from the ASA 5520 headend.

route outside 167.217.160.0 255.255.254.0 167.217.161.254 1

access-list outside_cryptomap_2 extended permit ip any 167.217.160.0 255.255.254.0

crypto ipsec transform-set ips_default esp-aes-192 esp-md5-hmac
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer 70.63.52.210
crypto map outside_map 3 set transform-set ips_default
crypto map outside_map 3 set nat-t-disable
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 6
vpn-tunnel-protocol IPSec
ip-comp enable
nem enable
nac-settings value DfltGrpPolicy-nac-framework-create
group-policy 64 internal
group-policy 64 attributes
vpn-tunnel-protocol IPSec svc
tunnel-group 70.63.52.210 type ipsec-l2l
tunnel-group 70.63.52.210 general-attributes
default-group-policy 64
tunnel-group 70.63.52.210 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
_____
I'm pretty sure that's everything. Again, as you can see at the top it comes up right after reboot but then drops randomly afterwards and requires a reboot before it returns.
Thanks for all your help!
Tim
timothybward Thu, 02/04/2010 - 11:53

FIXED!

ipsec timing issue. Didn't have keepalives set on the headhead.

Thanks for the help!

Actions

This Discussion