Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
0
Helpful
3
Replies

Verizon DSL VPN problems

msims
Level 1
Level 1

‎08-31-2010 10:11 AM

Did Verizon DSL (East coast / USA) change VPN practices or filtering today?

We have 4 site-to-site IPSec VPN tunnels up all the time, and today our tunnel to a Verizon DSL endpoint (ASA-5505) will not connect!  This is very frustrating.  Of course Verizon does not "support" VPN tunneling on their DSL, but it has worked fine in the past.  Nothing changed in any configs.  Other 3 VPNs are working fine, but none of the other endpoints are Verizon.

The VPN structure is ASA to ASA so there is no complexity in hardware brands, etc.  Phase 1 will not complete.  Using pre-share/3des/sha/dh1, like we always have.

Thank you!  Hopefully someone else has seen this.

-mike

Labels:
0 Helpful
3 Replies 3

athukral
Level 1
Level 1

‎09-01-2010 12:46 AM

Hey Michael,

Can you please attach the follwoing debugs from ASA--

debug crypto isakmp 127

debug crypto ipsec 127

Thanks

Ankur

0 Helpful

msims
Level 1
Level 1
In response to athukral

‎09-01-2010 05:21 AM

There is nothing to debug now since the tunnel came back up, after about 6 hours down.

At the time, a show crypto isakmp sa would return...

On one end, state MM_WAIT_MSG2

On the other, state MM_WAIT_MSG3

So to me that suggested one side would send the initial comm, it would get received by the other side which would send it back, then be waiting for step 3.  The original side never gets the step 2 msg and so it doesn't complete.  From what I could read on various forums, this suggested some sort of intermittent routing as a possible cause, and seeing as Verizon just fixed it themselves, it might have been a Verizon routing problem.  Tho they won't confirm it was, and their routing tests showed there was no problem.

Thank you for giving it some thought tho!

0 Helpful

athukral
Level 1
Level 1
In response to msims

‎09-01-2010 05:18 PM

Thanks for the reply!!


Yes you are right, our side sent the traffic, it was recieved at verizon end, they also responded but that never came back to us. It  can be due to routing or might be some other blockage on transitioning path.


I am glad that this issue is resolved now



Appreciate your time.


Ankur

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents