cisco asa 5540 Site to site vpn with microsoft isa 2006

Unanswered Question
Dec 10th, 2010

i managed to create the vpn link but there is random request timeout that i am facing. when i ping the physical link and the vpn link simultaneously on a separate window, i noticed that the physical link replays when the vpn link request time out. what could be the problem?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Jennifer Halim Fri, 12/10/2010 - 04:54

Is the VPN tunnel up and running?

Can you please share the output of the following from the ASA:

show cry isa sa

show cry ipsec sa

I am not too sure what you mean by the VPN link is not replying. Where you are trying to ping from? and what is the source ip address? Are you trying to ping from LAN behind the ASA to LAN behind the ISA server? and/or vice versa?

nataymenessa Fri, 12/10/2010 - 05:06

i am trying to ping from lan behind the asa.

te-ASA# show crypto isakmp sa

   Active SA: 9
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 9

1   IKE Peer: 10.17.0.10
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 10.24.0.10
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
3   IKE Peer: 10.23.0.10
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
4   IKE Peer: 10.26.0.10
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
5   IKE Peer: 10.28.0.10
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
6   IKE Peer: 10.9.0.10
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
7   IKE Peer: 10.13.0.10
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
8   IKE Peer: 10.15.0.10
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
9   IKE Peer: 10.6.0.10
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG6
te-ASA#   show cry ipsec sa
interface: outside
    Crypto map tag: External_map, seq num: 5, local addr: 78.41.227.59

      access-list outside_5_cryptomap permit ip Internal_network 255.255.0.0 Cairo 255.255.255.0
      local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
      remote ident (addr/mask/prot/port): (Cairo/255.255.255.0/0/0)
      current_peer: 10.9.0.10

      #pkts encaps: 423, #pkts encrypt: 423, #pkts digest: 423
      #pkts decaps: 404, #pkts decrypt: 404, #pkts verify: 404
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 423, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.9.0.10

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 5E203582

    inbound esp sas:
      spi: 0x52285AFB (1378376443)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10895360, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94819/2832)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x5E203582 (1579169154)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10895360, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94816/2832)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: External_map, seq num: 4, local addr: 78.41.227.59

      access-list outside_4_cryptomap permit ip Internal_network 255.255.0.0 Nairobi-IBAR 255.255.255.0
      local ident (addr/mask/prot/port): (Internal_network/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (Nairobi-IBAR/255.255.255.0/0/0)
      current_peer: 10.13.0.10

      #pkts encaps: 3238, #pkts encrypt: 3238, #pkts digest: 3238
      #pkts decaps: 3562, #pkts decrypt: 3562, #pkts verify: 3562
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3262, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.13.0.10

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 10362BC9

    inbound esp sas:
      spi: 0x12363DC5 (305544645)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10903552, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94351/2967)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x10362BC9 (271985609)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10903552, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (93990/2966)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: External_map, seq num: 7, local addr: 78.41.227.59

      access-list outside_7_cryptomap permit ip Internal_network 255.255.0.0 Malawi 255.255.255.0
      local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
      remote ident (addr/mask/prot/port): (Malawi/255.255.255.0/0/0)
      current_peer: 10.15.0.10

      #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
      #pkts decaps: 87, #pkts decrypt: 87, #pkts verify: 87
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 43, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
             
      local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.15.0.10

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: DD35CA5D

    inbound esp sas:
      spi: 0x82611D3E (2187402558)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10907648, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94913/3482)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xDD35CA5D (3711289949)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10907648, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94916/3482)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: External_map, seq num: 2, local addr: 78.41.227.59

      access-list External_cryptomap permit ip Internal_network 255.255.0.0 Niger 255.255.255.0
      local ident (addr/mask/prot/port): (Internal_network/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (Niger/255.255.255.0/0/0)
      current_peer: 10.17.0.10

      #pkts encaps: 31499, #pkts encrypt: 31499, #pkts digest: 31499
      #pkts decaps: 40758, #pkts decrypt: 40758, #pkts verify: 40758
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 31499, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.17.0.10

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: D57E2907

    inbound esp sas:
      spi: 0xD22AF35B (3526030171)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10526720, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94274/3090)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xD57E2907 (3581815047)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10526720, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94872/3090)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: External_map, seq num: 8, local addr: 78.41.227.59

      access-list outside_8_cryptomap permit ip Internal_network 255.255.0.0 Newyork 255.255.255.0
      local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
      remote ident (addr/mask/prot/port): (Newyork/255.255.255.0/0/0)
      current_peer: 10.23.0.10

      #pkts encaps: 3957, #pkts encrypt: 3957, #pkts digest: 3957
      #pkts decaps: 3471, #pkts decrypt: 3471, #pkts verify: 3471
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3957, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.23.0.10

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 3D1CEC2B

    inbound esp sas:
      spi: 0x8CBB3A6F (2361080431)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10711040, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94675/667)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x3D1CEC2B (1025305643)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10711040, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94653/667)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: External_map, seq num: 9, local addr: 78.41.227.59

      access-list outside_9_cryptomap permit ip Internal_network 255.255.0.0 Washington-DC 255.255.255.0
      local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
      remote ident (addr/mask/prot/port): (Washington-DC/255.255.255.0/0/0)
      current_peer: 10.24.0.10

      #pkts encaps: 29750, #pkts encrypt: 29750, #pkts digest: 29750
      #pkts decaps: 26096, #pkts decrypt: 26096, #pkts verify: 26096
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 29750, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.24.0.10

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: D9998A0D

    inbound esp sas:
      spi: 0x017CA0F6 (24944886)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10604544, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94829/3517)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xD9998A0D (3650718221)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10604544, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94776/3517)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: External_map, seq num: 6, local addr: 78.41.227.59

      access-list outside_6_cryptomap permit ip Internal_network 255.255.0.0 Geneva 255.255.255.0
      local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
      remote ident (addr/mask/prot/port): (Geneva/255.255.255.0/0/0)
      current_peer: 10.26.0.10

      #pkts encaps: 4638, #pkts encrypt: 4638, #pkts digest: 4638
      #pkts decaps: 4712, #pkts decrypt: 4712, #pkts verify: 4712
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4638, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.26.0.10

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: E75A4B75

    inbound esp sas:
      spi: 0xE48A7289 (3834278537)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10829824, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (91286/684)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE75A4B75 (3881454453)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10829824, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94187/684)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: External_map, seq num: 1, local addr: 78.41.227.59
             
      access-list outside_1_cryptomap permit ip Internal_network 255.255.0.0 Debre_zeit 255.255.255.0
      local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
      remote ident (addr/mask/prot/port): (Debre_zeit/255.255.255.0/0/0)
      current_peer: 10.28.0.10

      #pkts encaps: 827, #pkts encrypt: 827, #pkts digest: 827
      #pkts decaps: 1055, #pkts decrypt: 1055, #pkts verify: 1055
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 827, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.28.0.10

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 06EB5385

    inbound esp sas:
      spi: 0xC9252886 (3374655622)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10870784, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94732/2175)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x06EB5385 (116085637)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 10870784, crypto-map: External_map
         sa timing: remaining key lifetime (kB/sec): (94716/2174)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

te-ASA#

praprama Fri, 12/10/2010 - 06:17

Hi,

Which among the above is the ISA's IP address? Need to ensure we are looking at the right tunnel.

Also, at the time you see requests timed out, what happens when you ping from the ISA lan to the ASA lan?

Cheers,

Prapanch

nataymenessa Fri, 12/10/2010 - 07:26

we have asa in our main office and isa in our regional offices.

when i ping from the regional office network to the main office there is request timeout and vise versa.

but when i ping the link for example 10.13.0.10 (one of our branches ) there is no request time out

Jennifer Halim Fri, 12/10/2010 - 15:29

Can you please advise if all the VPN tunnels are not working, or only 1 specific tunnel is not working?

If it's only 1 specific tunnel, can you please advise which tunnel in particular that fails?

Also can you please share the ASA configuration, and advise what has changed recently?

Jennifer Halim Mon, 12/13/2010 - 00:18

Base on the "show cry ipsec sa" output provided earlier, there are traffic passing through the VPN tunnel on the ASA site.

You might want to check on whether the ISA server is receiving the encrypted traffic and decrypting it.

Base on the configuration and the output of "show cry ipsec sa" on the ASA, traffic is being encrypted and decrypted.

nataymenessa Mon, 12/13/2010 - 00:49

yeah, the vpn is working,the isa is also working. the problem is there is random request timeout once in a while.

Jennifer Halim Mon, 12/13/2010 - 00:56

Ping is not a definitive test. Are you having any issue with your applications through the VPN tunnel? Is there any QoS configuration that might drop pings randomly?

If ping drops randomly, it is definitely not problem with the VPN configuration between the sites.

You might want to check your internal network devices for any QoS settings or speed/duplex mismatch that might cause the issue.

nataymenessa Mon, 12/13/2010 - 01:16

previously it was totally ISA and  it was fine. the problem comes after we changed it to ASA.it is not only ping. i am having issues transferring applications through the vpn tunnel. i taught the problem was linked with the link but we found out the link is fine.

Actions

Login or Register to take actions

This Discussion

Posted December 10, 2010 at 4:45 AM
Stats:
Replies:10 Avg. Rating:
Views:1086 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard