2 of 4 ASA 5505's using 'ezvpn' rekey constantly?

Unanswered Question
Nov 2nd, 2011

I recently changed out the ASA5510 at the head end of my WAN so I am not sure if this problem is related.

I have 30 or so 2800 series routers connected to the 5510 with ipsec tunnels and 4 asa 5505 units connecting with "ezvpn".  When I look at loggs coming out of the head end it seems 2 of the 4 5505's continuously re-key. It also looks like something does not like the "ipsec rekeying duration".

I have attached a chunk of the debug log.

Any assistance is greatly appreciated.

Brian

P.S. -- All 4 5505 ASAs are runing the same version of IOS and I have compared configs between the ones that are having issues and those which are not!

Head End and 5505 are running version 8.2

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
mayrojas Wed, 11/02/2011 - 15:42

Hi,

It would be better if you post this question over the VPN part. What is the value of the association lifetime on the ASA and what is the one on the server side? The security association will take the lower value in order to set it up on the SA. So, if there is mismath I would say this is normal.

Let me know.

Mike

b-chernish Thu, 11/03/2011 - 09:31

Thanks Mike,

I have moved the thread per your suggestion.

The "crypto ipsec security-association lifetime seconds 28800" is the same on the headend (5510) and on the remote (5505).

The message seems to indicate that something 'thinks" the rekeying duration should be 2147483647 (68 years?).

I have tried rebooting one of the 5505s and I am still seeing the same thing.

Any ideas?

Brian

b-chernish Thu, 11/03/2011 - 10:41

OK so I have some additional information. This is begining to look like a conflict of some sort between the two ASAs which keep rekeying.

If I reboot one of the two offending 5505s (which continually rekey) the other one, which continues to operate while the other is rebooting), does not renew its keys any longer.

Once the rebooted ASA comes back online (perhaps a minute or two after the reload command), the two of them begin rekeying (alternating) again (about every 2 seconds).

Also I just noticed that just before the rebooted ASA comes online, I see a message in the log which reads "Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group1"

Once again, thanks for any assistance!

Brian

mayrojas Thu, 11/03/2011 - 11:04

On the Diffie hellman do you have the same groups on both Isakmp policies?

Mike

b-chernish Thu, 11/03/2011 - 11:24

IThat resolved the Phase 1 failures.  I had 2 policies configured.  I think this went back to when we orrigionally configured the ASA .

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

I changed Policy 1 to read "Group 2" and got a message that Policy 20 was now superceeded by policy 1 which is identical.

Brian

mayrojas Thu, 11/03/2011 - 11:33

Mmmm but right now are the policies identical? Do you still ahve the problem with the groups being different? Is the rekey message still appearing?

Mike

b-chernish Thu, 11/03/2011 - 11:36

They are still rekeying.  I went back and looked at notes from my original ASA deployment and we added Policy 1 because for some reason our 2821 routers could not negotiate Group 2.

Resolution: The ASA was using DH as group 2 whereas router was using group 1. So we changed the DH on ASA to group 1 and tunnel came up.

Thanks,

Wilson Lee
Cisco TAC Engineer - (VPN)

So I am right now adding Policy 1 back in as Group 1, before my network blows up!

Brian

b-chernish Thu, 11/03/2011 - 11:43

Changing Policy 1 to "Group 2" (thereby making the 2 policies identical) actually caused Policy 20 to be removed from my config.  I had to add it back manually after I changed Policy 1 back to Group 1.

For the short time I only had the one policy (Policy 1) and it was set to DH Group 2, I rebooted one of my ASAs and I did not get the Phase 1 failure message.

Brian

mayrojas Thu, 11/03/2011 - 11:47

What version are you running on the ASA's that are having the rekey issue? We at least know why that DH error is being generated.

Mike

b-chernish Thu, 11/03/2011 - 11:52

All 4 of my ASA 5505s are running the same OS:

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"

The ASA 5510 (Head End) is running the same version:

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"

This was by design.  We wanted to get far enough along to benefit from Netfolow, without getting into the newest versions which we have heard could be troublesome.

Brian

mayrojas Thu, 11/03/2011 - 12:07

The logs that you sent me were from the ASA5505 right? On the 5510 do you see any duplicate SA error message on the logs?

Mike

b-chernish Thu, 11/03/2011 - 12:11

Logs are from the ASA5510.

I just filtered the log output from the ASDM looking for "duplicate" and nothing that mentions duplicate SA.  I do have some messages with Duplicate TCP SYN but they are in traffic from other devices on my network.

Brian

I have attached a 'chunk' of log from one of the 5505s.

mayrojas Thu, 11/03/2011 - 12:37

Hi,

Based on the logs the SAs are being torn down every 3 seconds. Would you please enable the debug crypto ispsec sa 254 and debug crypto isakmp  254 on the client and sever for 10 seconds and send us the output?

Mike

b-chernish Thu, 11/03/2011 - 13:25

Interesting...

From those debugs, I found the following:

"Duplicate remote proxy (192.168.1.11/255.255.255.255) detected. Replacing old tunnel. Old peer: 50.53.68.162:1024; New peer: 76.115.167.67:4500"

In this case we are talking about 2 ASAs installed in Executive Employees' homes and both are plugged into their existing home internet networks.Both are using DHCP on the inside interface.

I would say I have had the bad luck of each of those devices obtaining the same DHCP address - 192.168.1.11 (albeit from different networks) as their inside IP.  Ipsec accross the ASAs does not seem to be able to accomodate that!

Comments?

Brian

mayrojas Thu, 11/03/2011 - 19:04

Hi,

By any chance do these 2 ASAs have the same subnet on the inside? What about the others, do they have different subnets or all of them share the same one?

Mike

b-chernish Fri, 11/04/2011 - 08:35

Mike,

I "mis-spoke" in my previous post.  Both of the ASA5505s have the same ip address on their OUTSIDE interface. These 2 ASAs are located in different locations and accordingly each has a unique inside network (192.168.61.xxx for one and 192.168.65.xxx on the other.

Each was configured to use DHCP to get their outside address using the command "ip address dhcp setroute".

Obviously this configuration is desireable, so that I can pre-configure an ASA5505 and send it home with a user so that they can simply plug it into any port on their existing home internet connection and then plug an IP Phone and computer into it, which now act exactly the same as their PC and Phone in the office.

I was able to get the two conflicting devices to stop rekeying every 3 seconds by supplying a static IP to one of the devices (I changed it from the DHCP address of 192.168.1.11 to 192.168.1.9).

Any insight on a better work around would be great as we have plans to ship many more ASA5505 to users' homes in the coming months.

Thanks for your attention to my problem.

Brian

burnettg_98 Thu, 08/02/2012 - 06:51

Did you ever come up with a solution to this issues?  I was seeing the sames rekeying and sure enough, they have the same outside address.  Thanks

Actions

Login or Register to take actions

This Discussion

Posted November 2, 2011 at 2:34 PM
Stats:
Replies:18 Avg. Rating:
Views:831 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard