12-10-2010 04:45 AM
i managed to create the vpn link but there is random request timeout that i am facing. when i ping the physical link and the vpn link simultaneously on a separate window, i noticed that the physical link replays when the vpn link request time out. what could be the problem?
12-10-2010 04:54 AM
Is the VPN tunnel up and running?
Can you please share the output of the following from the ASA:
show cry isa sa
show cry ipsec sa
I am not too sure what you mean by the VPN link is not replying. Where you are trying to ping from? and what is the source ip address? Are you trying to ping from LAN behind the ASA to LAN behind the ISA server? and/or vice versa?
12-10-2010 05:06 AM
i am trying to ping from lan behind the asa.
te-ASA# show crypto isakmp sa
Active SA: 9
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 9
1 IKE Peer: 10.17.0.10
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 10.24.0.10
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
3 IKE Peer: 10.23.0.10
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
4 IKE Peer: 10.26.0.10
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
5 IKE Peer: 10.28.0.10
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
6 IKE Peer: 10.9.0.10
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
7 IKE Peer: 10.13.0.10
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
8 IKE Peer: 10.15.0.10
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
9 IKE Peer: 10.6.0.10
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
te-ASA# show cry ipsec sa
interface: outside
Crypto map tag: External_map, seq num: 5, local addr: 78.41.227.59
access-list outside_5_cryptomap permit ip Internal_network 255.255.0.0 Cairo 255.255.255.0
local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (Cairo/255.255.255.0/0/0)
current_peer: 10.9.0.10
#pkts encaps: 423, #pkts encrypt: 423, #pkts digest: 423
#pkts decaps: 404, #pkts decrypt: 404, #pkts verify: 404
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 423, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.9.0.10
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 5E203582
inbound esp sas:
spi: 0x52285AFB (1378376443)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10895360, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94819/2832)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x5E203582 (1579169154)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10895360, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94816/2832)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 4, local addr: 78.41.227.59
access-list outside_4_cryptomap permit ip Internal_network 255.255.0.0 Nairobi-IBAR 255.255.255.0
local ident (addr/mask/prot/port): (Internal_network/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (Nairobi-IBAR/255.255.255.0/0/0)
current_peer: 10.13.0.10
#pkts encaps: 3238, #pkts encrypt: 3238, #pkts digest: 3238
#pkts decaps: 3562, #pkts decrypt: 3562, #pkts verify: 3562
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3262, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.13.0.10
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 10362BC9
inbound esp sas:
spi: 0x12363DC5 (305544645)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10903552, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94351/2967)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x10362BC9 (271985609)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10903552, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (93990/2966)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 7, local addr: 78.41.227.59
access-list outside_7_cryptomap permit ip Internal_network 255.255.0.0 Malawi 255.255.255.0
local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (Malawi/255.255.255.0/0/0)
current_peer: 10.15.0.10
#pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
#pkts decaps: 87, #pkts decrypt: 87, #pkts verify: 87
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 43, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.15.0.10
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: DD35CA5D
inbound esp sas:
spi: 0x82611D3E (2187402558)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10907648, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94913/3482)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xDD35CA5D (3711289949)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10907648, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94916/3482)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 2, local addr: 78.41.227.59
access-list External_cryptomap permit ip Internal_network 255.255.0.0 Niger 255.255.255.0
local ident (addr/mask/prot/port): (Internal_network/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (Niger/255.255.255.0/0/0)
current_peer: 10.17.0.10
#pkts encaps: 31499, #pkts encrypt: 31499, #pkts digest: 31499
#pkts decaps: 40758, #pkts decrypt: 40758, #pkts verify: 40758
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 31499, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.17.0.10
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D57E2907
inbound esp sas:
spi: 0xD22AF35B (3526030171)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10526720, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94274/3090)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD57E2907 (3581815047)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10526720, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94872/3090)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 8, local addr: 78.41.227.59
access-list outside_8_cryptomap permit ip Internal_network 255.255.0.0 Newyork 255.255.255.0
local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (Newyork/255.255.255.0/0/0)
current_peer: 10.23.0.10
#pkts encaps: 3957, #pkts encrypt: 3957, #pkts digest: 3957
#pkts decaps: 3471, #pkts decrypt: 3471, #pkts verify: 3471
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3957, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.23.0.10
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3D1CEC2B
inbound esp sas:
spi: 0x8CBB3A6F (2361080431)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10711040, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94675/667)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x3D1CEC2B (1025305643)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10711040, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94653/667)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 9, local addr: 78.41.227.59
access-list outside_9_cryptomap permit ip Internal_network 255.255.0.0 Washington-DC 255.255.255.0
local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (Washington-DC/255.255.255.0/0/0)
current_peer: 10.24.0.10
#pkts encaps: 29750, #pkts encrypt: 29750, #pkts digest: 29750
#pkts decaps: 26096, #pkts decrypt: 26096, #pkts verify: 26096
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 29750, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.24.0.10
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D9998A0D
inbound esp sas:
spi: 0x017CA0F6 (24944886)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10604544, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94829/3517)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD9998A0D (3650718221)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10604544, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94776/3517)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 6, local addr: 78.41.227.59
access-list outside_6_cryptomap permit ip Internal_network 255.255.0.0 Geneva 255.255.255.0
local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (Geneva/255.255.255.0/0/0)
current_peer: 10.26.0.10
#pkts encaps: 4638, #pkts encrypt: 4638, #pkts digest: 4638
#pkts decaps: 4712, #pkts decrypt: 4712, #pkts verify: 4712
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4638, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.26.0.10
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E75A4B75
inbound esp sas:
spi: 0xE48A7289 (3834278537)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10829824, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (91286/684)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE75A4B75 (3881454453)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10829824, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94187/684)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 1, local addr: 78.41.227.59
access-list outside_1_cryptomap permit ip Internal_network 255.255.0.0 Debre_zeit 255.255.255.0
local ident (addr/mask/prot/port): (Internal_network/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (Debre_zeit/255.255.255.0/0/0)
current_peer: 10.28.0.10
#pkts encaps: 827, #pkts encrypt: 827, #pkts digest: 827
#pkts decaps: 1055, #pkts decrypt: 1055, #pkts verify: 1055
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 827, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 78.41.227.59, remote crypto endpt.: 10.28.0.10
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 06EB5385
inbound esp sas:
spi: 0xC9252886 (3374655622)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10870784, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94732/2175)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x06EB5385 (116085637)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10870784, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (94716/2174)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
te-ASA#
12-10-2010 06:17 AM
Hi,
Which among the above is the ISA's IP address? Need to ensure we are looking at the right tunnel.
Also, at the time you see requests timed out, what happens when you ping from the ISA lan to the ASA lan?
Cheers,
Prapanch
12-10-2010 07:26 AM
we have asa in our main office and isa in our regional offices.
when i ping from the regional office network to the main office there is request timeout and vise versa.
but when i ping the link for example 10.13.0.10 (one of our branches ) there is no request time out
12-10-2010 03:29 PM
Can you please advise if all the VPN tunnels are not working, or only 1 specific tunnel is not working?
If it's only 1 specific tunnel, can you please advise which tunnel in particular that fails?
Also can you please share the ASA configuration, and advise what has changed recently?
12-12-2010 09:17 PM
12-13-2010 12:18 AM
Base on the "show cry ipsec sa" output provided earlier, there are traffic passing through the VPN tunnel on the ASA site.
You might want to check on whether the ISA server is receiving the encrypted traffic and decrypting it.
Base on the configuration and the output of "show cry ipsec sa" on the ASA, traffic is being encrypted and decrypted.
12-13-2010 12:49 AM
yeah, the vpn is working,the isa is also working. the problem is there is random request timeout once in a while.
12-13-2010 12:56 AM
Ping is not a definitive test. Are you having any issue with your applications through the VPN tunnel? Is there any QoS configuration that might drop pings randomly?
If ping drops randomly, it is definitely not problem with the VPN configuration between the sites.
You might want to check your internal network devices for any QoS settings or speed/duplex mismatch that might cause the issue.
12-13-2010 01:16 AM
previously it was totally ISA and it was fine. the problem comes after we changed it to ASA.it is not only ping. i am having issues transferring applications through the vpn tunnel. i taught the problem was linked with the link but we found out the link is fine.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: