cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2044
Views
0
Helpful
18
Replies

2 of 4 ASA 5505's using 'ezvpn' rekey constantly?

BrianChernish
Level 1
Level 1

I recently changed out the ASA5510 at the head end of my WAN so I am not sure if this problem is related.

I have 30 or so 2800 series routers connected to the 5510 with ipsec tunnels and 4 asa 5505 units connecting with "ezvpn".  When I look at loggs coming out of the head end it seems 2 of the 4 5505's continuously re-key. It also looks like something does not like the "ipsec rekeying duration".

I have attached a chunk of the debug log.

Any assistance is greatly appreciated.

Brian

P.S. -- All 4 5505 ASAs are runing the same version of IOS and I have compared configs between the ones that are having issues and those which are not!

Head End and 5505 are running version 8.2

18 Replies 18

Maykol Rojas
Cisco Employee
Cisco Employee

Hi,

It would be better if you post this question over the VPN part. What is the value of the association lifetime on the ASA and what is the one on the server side? The security association will take the lower value in order to set it up on the SA. So, if there is mismath I would say this is normal.

Let me know.

Mike

Mike

Thanks Mike,

I have moved the thread per your suggestion.

The "crypto ipsec security-association lifetime seconds 28800" is the same on the headend (5510) and on the remote (5505).

The message seems to indicate that something 'thinks" the rekeying duration should be 2147483647 (68 years?).

I have tried rebooting one of the 5505s and I am still seeing the same thing.

Any ideas?

Brian

BrianChernish
Level 1
Level 1

OK so I have some additional information. This is begining to look like a conflict of some sort between the two ASAs which keep rekeying.

If I reboot one of the two offending 5505s (which continually rekey) the other one, which continues to operate while the other is rebooting), does not renew its keys any longer.

Once the rebooted ASA comes back online (perhaps a minute or two after the reload command), the two of them begin rekeying (alternating) again (about every 2 seconds).

Also I just noticed that just before the rebooted ASA comes online, I see a message in the log which reads "Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group1"

Once again, thanks for any assistance!

Brian

On the Diffie hellman do you have the same groups on both Isakmp policies?

Mike

Mike

IThat resolved the Phase 1 failures.  I had 2 policies configured.  I think this went back to when we orrigionally configured the ASA .

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

I changed Policy 1 to read "Group 2" and got a message that Policy 20 was now superceeded by policy 1 which is identical.

Brian

Mmmm but right now are the policies identical? Do you still ahve the problem with the groups being different? Is the rekey message still appearing?

Mike

Mike

They are still rekeying.  I went back and looked at notes from my original ASA deployment and we added Policy 1 because for some reason our 2821 routers could not negotiate Group 2.

Resolution: The ASA was using DH as group 2 whereas router was using group 1. So we changed the DH on ASA to group 1 and tunnel came up.

Thanks,

Wilson Lee
Cisco TAC Engineer - (VPN)

So I am right now adding Policy 1 back in as Group 1, before my network blows up!

Brian

Changing Policy 1 to "Group 2" (thereby making the 2 policies identical) actually caused Policy 20 to be removed from my config.  I had to add it back manually after I changed Policy 1 back to Group 1.

For the short time I only had the one policy (Policy 1) and it was set to DH Group 2, I rebooted one of my ASAs and I did not get the Phase 1 failure message.

Brian

What version are you running on the ASA's that are having the rekey issue? We at least know why that DH error is being generated.

Mike

Mike

All 4 of my ASA 5505s are running the same OS:

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"

The ASA 5510 (Head End) is running the same version:

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"

This was by design.  We wanted to get far enough along to benefit from Netfolow, without getting into the newest versions which we have heard could be troublesome.

Brian

The logs that you sent me were from the ASA5505 right? On the 5510 do you see any duplicate SA error message on the logs?

Mike

Mike

Logs are from the ASA5510.

I just filtered the log output from the ASDM looking for "duplicate" and nothing that mentions duplicate SA.  I do have some messages with Duplicate TCP SYN but they are in traffic from other devices on my network.

Brian

I have attached a 'chunk' of log from one of the 5505s.

Hi,

Based on the logs the SAs are being torn down every 3 seconds. Would you please enable the debug crypto ispsec sa 254 and debug crypto isakmp  254 on the client and sever for 10 seconds and send us the output?

Mike

Mike

I have attached both outputs.  At the client side there was NO output.  I attached the capture anyway so you can see what I did at the prompt.

Brian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: