ASA 5520 VPN Site-Site Problem

Unanswered Question
Sep 17th, 2010
User Badges:

Hi All

hope this find you well.

im new in ASA & Firewalls.

i tried to configure Site-Site vpn on ASA 5520, the tunnel established and working fine , but there's some remote sites disconnected for a while from time to time for 15 to 60 minutes then connect again. i tried hard to find a solution for this problem but i can't.

i tried to get the Debug crypto isakmp sa & Debug crypto ipsec sa for the ASA and the remote router ( Cisco 877 ) but no debugs appears on both sides.

so need your help to have a look on the configuration ,and i will be gratefull if you help.


ASA Configuration



boot system disk0:/asa722-k8.bin


hostname MY-VPN-OUT
domain-name DOMAIN.COM
enable password rjipvpn3
names
!
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address XX.XX.XX.138 255.255.255.252
no shut
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif LAN
security-level 100
ip address 10.10.10.3 255.255.255.0
no shut
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
no shut
!
passwd rjipvpn3
ftp mode passive
dns domain-lookup WAN
dns server-group DefaultDNS
name-server XX.XX.XX.10
domain-name YY.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Inernal_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.10.177.0 255.255.255.0
access-list Inernal_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 host 10.10.177.4
access-list Inernal_nat0_outbound extended permit ip any host 10.10.177.4
access-list Inernal_nat0_outbound extended permit ip any host 10.10.66.20
access-list Inernal_nat0_outbound extended permit ip any host 10.10.66.1
access-list Inernal_nat0_outbound extended permit ip any host 10.10.66.2
access-list Inernal_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.10.155.64 255.255.255.192
access-list Inernal_nat0_outbound extended permit ip 10.10.147.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list Inernal_nat0_outbound extended permit ip any 10.10.177.0 255.255.255.0
access-list Inernal_nat0_outbound extended permit ip 10.10.0.0 255.255.255.0 host 10.10.177.4
access-list Inernal_nat0_outbound extended permit ip 10.10.0.0 255.255.255.0 host 10.10.177.5
access-list Inernal_nat0_outbound extended permit ip 10.10.0.0 255.255.255.0 10.10.177.0 255.255.255.0
access-list Reyad standard permit 10.0.0.0 255.0.0.0
access-list WAN_20_cryptomap_1 extended permit ip 10.10.147.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list WAN extended permit icmp any any
access-list WAN_20_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.10.147.0 255.255.255.0
access-list management_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 host 10.10.77.4
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu management 1500
!
ip local pool Reyad 10.10.177.4 mask 255.255.255.255
ip local pool Roming_POOL 10.10.177.100-10.10.177.200 mask 255.255.255.0
!
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 WAN
icmp permit any WAN
icmp permit any LAN
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (LAN) 0 access-list Inernal_nat0_outbound
nat (management) 0 access-list management_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
route WAN 10.10.154.192 255.255.255.192 XX.XX.XX.137 1
route LAN 10.0.0.0 255.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy Reyad internal
group-policy Reyad attributes
dns-server value 10.10.10.10
vpn-tunnel-protocol IPSec
username [email protected] password wwwww
!
http server enable
http 10.10.66.2 255.255.255.255 LAN
http 10.10.177.4 255.255.255.255 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec fragmentation after-encryption WAN
crypto ipsec fragmentation after-encryption LAN
crypto ipsec fragmentation after-encryption management
crypto dynamic-map WAN_dyn_map 20 set pfs
crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 40 set pfs
crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 60 set pfs
crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 80 set pfs
crypto dynamic-map WAN_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 100 set pfs
crypto dynamic-map WAN_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 20 set pfs
crypto dynamic-map management_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 20 set transform-set myset
crypto dynamic-map cisco 20 set reverse-route
crypto dynamic-map cisco 40 set pfs
crypto dynamic-map cisco 40 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 60 set pfs
crypto dynamic-map cisco 60 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 80 set pfs
crypto dynamic-map cisco 80 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 100 set pfs
crypto dynamic-map cisco 100 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 120 set pfs
crypto dynamic-map cisco 120 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 140 set pfs
crypto dynamic-map cisco 140 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 160 set pfs
crypto dynamic-map cisco 160 set transform-set ESP-3DES-SHA
crypto map WAN_map 40 set pfs
crypto map WAN_map 40 set transform-set ESP-AES-128-SHA
crypto map WAN_map 60 set pfs
crypto map WAN_map 60 set transform-set ESP-AES-128-SHA
crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map
crypto map management_map interface management
crypto map mymap 20 ipsec-isakmp dynamic cisco
crypto map mymap interface WAN
crypto isakmp identity address
crypto isakmp enable WAN
crypto isakmp enable management
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal  10
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key xxxxxxxxxxxx
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key xxxxxxxxxxxx
isakmp ikev1-user-authentication none
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool Roming_POOL
tunnel-group Reyad type ipsec-ra
tunnel-group Reyad general-attributes
address-pool Reyad
tunnel-group Reyad ipsec-attributes
pre-shared-key wwwww
telnet 10.10.177.4 255.255.255.255 WAN
telnet 10.10.66.1 255.255.255.0 LAN
telnet timeout 5
ssh 10.10.177.4 255.255.255.255 WAN
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!            
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect netbios
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:8f32b9badd7c940bebda40fc1c4cf7ab
: end

___________________________________________________

the Router Configuration


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
group 5
exit
!
crypto isakmp key xxxxxxxxxxxx address XX.XX.XX.138
!
crypto ipsec transform-set ESP_SHA_HMAC esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer XX.XX.XX.138
set transform-set ESP_SHA_HMAC
match address 101
exit
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
ip address dhcp
ip mtu 1452
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
interface Vlan2
ip address 10.10.154.197 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1300
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip nat inside source route-map SDM_RMAP_1 interface Vlan1 overload
!
access-list 100 deny   ip 10.10.154.192 0.0.0.63 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.10.154.192 0.0.0.63 any
access-list 101 permit ip 10.10.154.192 0.0.0.63 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.10.154.192 0.0.0.63 57.5.64.0 0.0.0.255

route-map SDM_RMAP_1 permit 1
match ip address 100

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 09/17/2010 - 15:32
User Badges:
  • Green, 3000 points or more

The debugs might not show anything because the tunnel is not going down at all (no renegotiations).


Which subnets/IPs are disconnecting?


Let's assume the following:

The tunnel never goes down, but the remote sites disconnect for several minutes.... could it be the application itself?

i.e

If you leave an extended PING through the tunnel do you see those packets timing out as well when this happens?


Federico.

Reyad Safi Sat, 09/18/2010 - 01:03
User Badges:

Dear Federico

thank you for your reply.

i think in this way , so i configured a schedule ping on the Rempte router to ensure the vpn tunnel always inetiated , but unfortunetly the same problem occure. the disconnecting always happened on the same time every day. i check the show version on the remote router , its not turned off, so im thinking about the dynamic DSL ip address relaease issue.


plz help


Reyad

Jitendriya Athavale Sat, 09/18/2010 - 06:46
User Badges:
  • Cisco Employee,

hi Reyad,


lets try to isolate the problem, please help me understand the issue by answering the following


  • is the tunnel down??? you can verify this bychecking the show crypto isakmp sa and show crypto ipsec sa peer on both the sites
    • check if the counters are incrementing in the encaps or decaps, this will give us some idea as to where the prolem is
  • since you know precisely when this occurs in order to remove all the other internal network out of the picture trying pinging from asa interface to the outer inside interface
    • you can do ping inside or you can do a source ping to asa inside interface from router lan interface
    • before you do this make sure you have managament -access inside on asa
  • also lets us apply captures on ASA outside interface when the issues happens again and lets check for esp packets for this tunnel
    • lets us see if its the isp on the other site is doing something
  • also when th eissue happens again try clearing the tunnel and try reestablishing it, and this time enable debugs this will tell us what is happening
Reyad Safi Sun, 09/19/2010 - 02:15
User Badges:

Dear Jathaval


when the problem occure , i directly connect to the firewall . the vpn tunnel is up and there was send/recieve but i couldn't ping .

when the vpn released from the ASA , the site connected directly and every thing back to normal.


i would like to know if there's a way to tell the ASA to disconnect the tunnel when the remote site didn't ping


your cooperation appreciated


Reyad

Jitendriya Athavale Sun, 09/19/2010 - 05:39
User Badges:
  • Cisco Employee,

so if i understand you right, you see encaps and decaps incrementing on both sides when the pings stop through the tunnel. this means that the tunnel is up.


then if i understand you right, you mean that you bring doen the tunnel and make it reestablish and thats when everything starts working



please clarify


now if what i have said above is right then please try the following


apply captures between the peer ip's and see if you see packets going in both directions, also since the other end is router see if there is any way you can capture traffic on the other end, either create access-list and see hit counts incrementing or span the switch port which is connected to the router

Reyad Safi Sun, 09/19/2010 - 10:57
User Badges:

Dear Jathaval

i would like to tell you some notice related to my problem.


On ASA ASDM the vpn tunnel up ,the encryption/decryption incresed inspite there's no ping to the remote site.

this status continue untill the rekeying interval (3600) finished, after that the ASA can recognise the VPN tunnel went down.

then after few seconds the remote site become up again.


so i would like to know if there's a way to make the ASA to drop the VPN when there's no traffic to the remote site


regards

Jitendriya Athavale Sun, 09/19/2010 - 21:46
User Badges:
  • Cisco Employee,

hi


well we need to find out why this is happening as this is not a expected behaviour, the asa should not just stop encrypting packet on its own and wait for phase 2 rekey to start encrypting with new spi's.


in your case i dont think keepalives would solve the problem because the phase 1 is always up. and it is really wierd that the packets are shown as beng encaps in ipsec sa but we dont know for sure whether they r leaving asa, this is the reason i am asking you to apply captures repeatedly on the outisde of asa


please apply captures and paste the output

sweekriti.mohun Mon, 09/20/2010 - 07:16
User Badges:

what is your keep alives in Kb ? It would be possible that the SA are ending-life very soon and try to re-key, not negotiating properly.


Maximise the kb on both ends and see if this makes a difference....

Actions

This Discussion