11-02-2011 02:34 PM
I recently changed out the ASA5510 at the head end of my WAN so I am not sure if this problem is related.
I have 30 or so 2800 series routers connected to the 5510 with ipsec tunnels and 4 asa 5505 units connecting with "ezvpn". When I look at loggs coming out of the head end it seems 2 of the 4 5505's continuously re-key. It also looks like something does not like the "ipsec rekeying duration".
I have attached a chunk of the debug log.
Any assistance is greatly appreciated.
Brian
P.S. -- All 4 5505 ASAs are runing the same version of IOS and I have compared configs between the ones that are having issues and those which are not!
Head End and 5505 are running version 8.2
11-02-2011 03:42 PM
Hi,
It would be better if you post this question over the VPN part. What is the value of the association lifetime on the ASA and what is the one on the server side? The security association will take the lower value in order to set it up on the SA. So, if there is mismath I would say this is normal.
Let me know.
Mike
11-03-2011 09:31 AM
Thanks Mike,
I have moved the thread per your suggestion.
The "crypto ipsec security-association lifetime seconds 28800" is the same on the headend (5510) and on the remote (5505).
The message seems to indicate that something 'thinks" the rekeying duration should be 2147483647 (68 years?).
I have tried rebooting one of the 5505s and I am still seeing the same thing.
Any ideas?
Brian
11-03-2011 10:41 AM
OK so I have some additional information. This is begining to look like a conflict of some sort between the two ASAs which keep rekeying.
If I reboot one of the two offending 5505s (which continually rekey) the other one, which continues to operate while the other is rebooting), does not renew its keys any longer.
Once the rebooted ASA comes back online (perhaps a minute or two after the reload command), the two of them begin rekeying (alternating) again (about every 2 seconds).
Also I just noticed that just before the rebooted ASA comes online, I see a message in the log which reads "Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group1"
Once again, thanks for any assistance!
Brian
11-03-2011 11:04 AM
On the Diffie hellman do you have the same groups on both Isakmp policies?
Mike
11-03-2011 11:24 AM
IThat resolved the Phase 1 failures. I had 2 policies configured. I think this went back to when we orrigionally configured the ASA .
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
I changed Policy 1 to read "Group 2" and got a message that Policy 20 was now superceeded by policy 1 which is identical.
Brian
11-03-2011 11:33 AM
Mmmm but right now are the policies identical? Do you still ahve the problem with the groups being different? Is the rekey message still appearing?
Mike
11-03-2011 11:36 AM
They are still rekeying. I went back and looked at notes from my original ASA deployment and we added Policy 1 because for some reason our 2821 routers could not negotiate Group 2.
Resolution: The ASA was using DH as group 2 whereas router was using group 1. So we changed the DH on ASA to group 1 and tunnel came up.
Thanks,
Wilson Lee
Cisco TAC Engineer - (VPN)
So I am right now adding Policy 1 back in as Group 1, before my network blows up!
Brian
11-03-2011 11:43 AM
Changing Policy 1 to "Group 2" (thereby making the 2 policies identical) actually caused Policy 20 to be removed from my config. I had to add it back manually after I changed Policy 1 back to Group 1.
For the short time I only had the one policy (Policy 1) and it was set to DH Group 2, I rebooted one of my ASAs and I did not get the Phase 1 failure message.
Brian
11-03-2011 11:47 AM
What version are you running on the ASA's that are having the rekey issue? We at least know why that DH error is being generated.
Mike
11-03-2011 11:52 AM
All 4 of my ASA 5505s are running the same OS:
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
The ASA 5510 (Head End) is running the same version:
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
This was by design. We wanted to get far enough along to benefit from Netfolow, without getting into the newest versions which we have heard could be troublesome.
Brian
11-03-2011 12:07 PM
The logs that you sent me were from the ASA5505 right? On the 5510 do you see any duplicate SA error message on the logs?
Mike
11-03-2011 12:11 PM
Logs are from the ASA5510.
I just filtered the log output from the ASDM looking for "duplicate" and nothing that mentions duplicate SA. I do have some messages with Duplicate TCP SYN but they are in traffic from other devices on my network.
Brian
I have attached a 'chunk' of log from one of the 5505s.
11-03-2011 12:37 PM
Hi,
Based on the logs the SAs are being torn down every 3 seconds. Would you please enable the debug crypto ispsec sa 254 and debug crypto isakmp 254 on the client and sever for 10 seconds and send us the output?
Mike
11-03-2011 12:49 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: