09-17-2010 01:53 PM - edited 03-11-2019 11:41 AM
Hi All
hope this find you well.
im new in ASA & Firewalls.
i tried to configure Site-Site vpn on ASA 5520, the tunnel established and working fine , but there's some remote sites disconnected for a while from time to time for 15 to 60 minutes then connect again. i tried hard to find a solution for this problem but i can't.
i tried to get the Debug crypto isakmp sa & Debug crypto ipsec sa for the ASA and the remote router ( Cisco 877 ) but no debugs appears on both sides.
so need your help to have a look on the configuration ,and i will be gratefull if you help.
ASA Configuration
boot system disk0:/asa722-k8.bin
hostname MY-VPN-OUT
domain-name DOMAIN.COM
enable password rjipvpn3
names
!
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address XX.XX.XX.138 255.255.255.252
no shut
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif LAN
security-level 100
ip address 10.10.10.3 255.255.255.0
no shut
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
no shut
!
passwd rjipvpn3
ftp mode passive
dns domain-lookup WAN
dns server-group DefaultDNS
name-server XX.XX.XX.10
domain-name YY.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Inernal_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.10.177.0 255.255.255.0
access-list Inernal_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 host 10.10.177.4
access-list Inernal_nat0_outbound extended permit ip any host 10.10.177.4
access-list Inernal_nat0_outbound extended permit ip any host 10.10.66.20
access-list Inernal_nat0_outbound extended permit ip any host 10.10.66.1
access-list Inernal_nat0_outbound extended permit ip any host 10.10.66.2
access-list Inernal_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.10.155.64 255.255.255.192
access-list Inernal_nat0_outbound extended permit ip 10.10.147.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list Inernal_nat0_outbound extended permit ip any 10.10.177.0 255.255.255.0
access-list Inernal_nat0_outbound extended permit ip 10.10.0.0 255.255.255.0 host 10.10.177.4
access-list Inernal_nat0_outbound extended permit ip 10.10.0.0 255.255.255.0 host 10.10.177.5
access-list Inernal_nat0_outbound extended permit ip 10.10.0.0 255.255.255.0 10.10.177.0 255.255.255.0
access-list Reyad standard permit 10.0.0.0 255.0.0.0
access-list WAN_20_cryptomap_1 extended permit ip 10.10.147.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list WAN extended permit icmp any any
access-list WAN_20_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.10.147.0 255.255.255.0
access-list management_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 host 10.10.77.4
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu management 1500
!
ip local pool Reyad 10.10.177.4 mask 255.255.255.255
ip local pool Roming_POOL 10.10.177.100-10.10.177.200 mask 255.255.255.0
!
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 WAN
icmp permit any WAN
icmp permit any LAN
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (LAN) 0 access-list Inernal_nat0_outbound
nat (management) 0 access-list management_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
route WAN 10.10.154.192 255.255.255.192 XX.XX.XX.137 1
route LAN 10.0.0.0 255.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy Reyad internal
group-policy Reyad attributes
dns-server value 10.10.10.10
vpn-tunnel-protocol IPSec
username Reyad@my.com password wwwww
!
http server enable
http 10.10.66.2 255.255.255.255 LAN
http 10.10.177.4 255.255.255.255 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec fragmentation after-encryption WAN
crypto ipsec fragmentation after-encryption LAN
crypto ipsec fragmentation after-encryption management
crypto dynamic-map WAN_dyn_map 20 set pfs
crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 40 set pfs
crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 60 set pfs
crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 80 set pfs
crypto dynamic-map WAN_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 100 set pfs
crypto dynamic-map WAN_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 20 set pfs
crypto dynamic-map management_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 20 set transform-set myset
crypto dynamic-map cisco 20 set reverse-route
crypto dynamic-map cisco 40 set pfs
crypto dynamic-map cisco 40 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 60 set pfs
crypto dynamic-map cisco 60 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 80 set pfs
crypto dynamic-map cisco 80 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 100 set pfs
crypto dynamic-map cisco 100 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 120 set pfs
crypto dynamic-map cisco 120 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 140 set pfs
crypto dynamic-map cisco 140 set transform-set ESP-3DES-SHA
crypto dynamic-map cisco 160 set pfs
crypto dynamic-map cisco 160 set transform-set ESP-3DES-SHA
crypto map WAN_map 40 set pfs
crypto map WAN_map 40 set transform-set ESP-AES-128-SHA
crypto map WAN_map 60 set pfs
crypto map WAN_map 60 set transform-set ESP-AES-128-SHA
crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map
crypto map management_map interface management
crypto map mymap 20 ipsec-isakmp dynamic cisco
crypto map mymap interface WAN
crypto isakmp identity address
crypto isakmp enable WAN
crypto isakmp enable management
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 10
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key xxxxxxxxxxxx
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key xxxxxxxxxxxx
isakmp ikev1-user-authentication none
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool Roming_POOL
tunnel-group Reyad type ipsec-ra
tunnel-group Reyad general-attributes
address-pool Reyad
tunnel-group Reyad ipsec-attributes
pre-shared-key wwwww
telnet 10.10.177.4 255.255.255.255 WAN
telnet 10.10.66.1 255.255.255.0 LAN
telnet timeout 5
ssh 10.10.177.4 255.255.255.255 WAN
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:8f32b9badd7c940bebda40fc1c4cf7ab
: end
___________________________________________________
the Router Configuration
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
group 5
exit
!
crypto isakmp key xxxxxxxxxxxx address XX.XX.XX.138
!
crypto ipsec transform-set ESP_SHA_HMAC esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer XX.XX.XX.138
set transform-set ESP_SHA_HMAC
match address 101
exit
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
ip address dhcp
ip mtu 1452
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
interface Vlan2
ip address 10.10.154.197 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1300
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip nat inside source route-map SDM_RMAP_1 interface Vlan1 overload
!
access-list 100 deny ip 10.10.154.192 0.0.0.63 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.10.154.192 0.0.0.63 any
access-list 101 permit ip 10.10.154.192 0.0.0.63 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.10.154.192 0.0.0.63 57.5.64.0 0.0.0.255
route-map SDM_RMAP_1 permit 1
match ip address 100
09-17-2010 03:32 PM
The debugs might not show anything because the tunnel is not going down at all (no renegotiations).
Which subnets/IPs are disconnecting?
Let's assume the following:
The tunnel never goes down, but the remote sites disconnect for several minutes.... could it be the application itself?
i.e
If you leave an extended PING through the tunnel do you see those packets timing out as well when this happens?
Federico.
09-18-2010 01:03 AM
thank you for your reply.
i think in this way , so i configured a schedule ping on the Rempte router to ensure the vpn tunnel always inetiated , but unfortunetly the same problem occure. the disconnecting always happened on the same time every day. i check the show version on the remote router , its not turned off, so im thinking about the dynamic DSL ip address relaease issue.
plz help
Reyad
09-18-2010 06:46 AM
hi Reyad,
lets try to isolate the problem, please help me understand the issue by answering the following
09-19-2010 02:15 AM
Dear Jathaval
when the problem occure , i directly connect to the firewall . the vpn tunnel is up and there was send/recieve but i couldn't ping .
when the vpn released from the ASA , the site connected directly and every thing back to normal.
i would like to know if there's a way to tell the ASA to disconnect the tunnel when the remote site didn't ping
your cooperation appreciated
Reyad
09-19-2010 05:39 AM
so if i understand you right, you see encaps and decaps incrementing on both sides when the pings stop through the tunnel. this means that the tunnel is up.
then if i understand you right, you mean that you bring doen the tunnel and make it reestablish and thats when everything starts working
please clarify
now if what i have said above is right then please try the following
apply captures between the peer ip's and see if you see packets going in both directions, also since the other end is router see if there is any way you can capture traffic on the other end, either create access-list and see hit counts incrementing or span the switch port which is connected to the router
09-19-2010 10:57 AM
Dear Jathaval
i would like to tell you some notice related to my problem.
On ASA ASDM the vpn tunnel up ,the encryption/decryption incresed inspite there's no ping to the remote site.
this status continue untill the rekeying interval (3600) finished, after that the ASA can recognise the VPN tunnel went down.
then after few seconds the remote site become up again.
so i would like to know if there's a way to make the ASA to drop the VPN when there's no traffic to the remote site
regards
09-19-2010 09:46 PM
hi
well we need to find out why this is happening as this is not a expected behaviour, the asa should not just stop encrypting packet on its own and wait for phase 2 rekey to start encrypting with new spi's.
in your case i dont think keepalives would solve the problem because the phase 1 is always up. and it is really wierd that the packets are shown as beng encaps in ipsec sa but we dont know for sure whether they r leaving asa, this is the reason i am asking you to apply captures repeatedly on the outisde of asa
please apply captures and paste the output
09-20-2010 07:16 AM
what is your keep alives in Kb ? It would be possible that the SA are ending-life very soon and try to re-key, not negotiating properly.
Maximise the kb on both ends and see if this makes a difference....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: