ASA 5505 to Juniper switch

Answered Question
Jun 26th, 2012

I am wondering if anyone is aware of any known issues connecting an ASA to a Juniper switch?

We have a remote site where we have an ASA 5505 installed set up running EzVPN.  We do not have not have control/access to the internet connection or the internal infrastructure.  We basically have an office within thier building.  Our ASA has one of thier external IP addresses and is connected to thier Juniper switch.  Our pc's/printers are patched to another Juniper switch which is uplinked to our ASA.  The issue we are having is that the connection is intermittently dropping where we cannot ping the pc's/printers at the remote site through the VPN tunnel but we are still able to ping the external IP address of our remote ASA.  The strange thing is that we cannot manage the ASA via SSH or ASDM using the outside interface but can ping it when this occurs.  For the most part the VPN tunnel does not drop when we check the sessions at the headend although it occassionally will.

Any ideas as to what could be causing this type of issue?

Thanks in advance.

Jeff

I have this problem too.
0 votes
Correct Answer by manisharora111 about 1 year 9 months ago

The issue with the unable to reach ( ssh or https ) the External IP but still able to ping suggests a duplicate IP address assignment by your provider in that building. The arp expiration for the ASA causes you to losse SSH access but at the same time lets you ping the device holding that same IP, now when someone from behind the ASA initiates any external connection the ASA refreshes the ARP on the upstream device and everything starts to work normally.

Now, all above is what I am thinking , i might be wrong ;-). Please have your admin look for Mac address ( arp -cache ) when you firewall is not responding to SSH but only to ping and see if it matches your ASA external interface MAC.

Thanks

Manish

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Jennifer Halim Tue, 06/26/2012 - 18:29

I would suggest that you configure keepalive so the VPN tunnel gets torn down if either side has lost connectivity.

The VPN session could have been up on the headend, but it could be down at the remote site, hence you are not able to manage it.

Do you have the ssh and http command on the outside interface to allow management of the ASA on its outside interface?

Lastly, since it's EzVPN, once the tunnel is down, the VPN tunnel needs to be initiated from the remote site.

Why don't you just configure Lan-to-Lan tunnel so both end could initiate the tunnel? assuming that the remote site has static external IP.

jeffnagel102 Tue, 06/26/2012 - 21:53

Thanks for the response.

I configured the VPN as a Lan-to-Lan tunnel a couple of hours ago and I am seeing the same symptoms as I did with the EzVPN.

I did verify that the http and ssh commands are on the outside interface to all management of the ASA on its outside interface.

I would imagine since we have an external static IP on the outside interface of the ASA we should be able to manage the device no matter what.

We even went so far as to swap out ASA's to rule out a hardware issue with the ASA.  At this point it seems that either the Juniper and ASA have some sort of compatibility issue or there is something else going on with the site's internal network causing the strange behavior.

Thanks.

jeffnagel102 Wed, 06/27/2012 - 10:21

Here is the config.

ASA Version 8.0(4)

!

hostname HC-5505

enable password xxxxxxxxxxxxx encrypted

passwd xxxxxxxxxx encrypted

names

name 10.7.16.0 Beaumont_Net

name 10.7.16.229 Camelot

name 10.7.16.46 Citrix10

name 10.7.16.147 Citrix2

name 10.32.2.192 ejctxweb01

name 10.32.2.134 ewjcx025

name 10.32.2.193 ewjcx028

name 10.32.2.194 ewjcx029

name 10.32.2.195 ewjcx030

name 10.32.2.196 ewjcx031

name 10.32.2.214 ewjcx032

name 10.7.16.160 Lycan

name 10.125.224.30 MSSCITRX01

name 10.126.0.45 MSSCITRX02

name 10.7.16.215 PrevIntranet

name 10.32.2.218 ewjcx034

name 10.32.2.197 ewjcx035

name 10.32.2.198 ewjcx036

name 10.32.2.215 ewjcx037

name 10.32.3.80 ewjfs004

name 10.7.48.204 excalibur

name 10.7.16.175 mercury

name 10.7.16.142 mordor

name 10.32.2.229 mordor4

name 10.101.28.175 peoplesoft

name 10.32.2.57 snsiis01

name 10.0.48.96 snsnas01

name 10.7.16.50 tarheel

name 10.7.112.175 vampire

!

interface Vlan1

nameif inside

security-level 100

ip address 10.127.35.129 255.255.255.192

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.14 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone CDT -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name my_domain.com

object-group network SV_Local

description SV Local

network-object 10.127.35.128 255.255.255.192

object-group network SV_Remote

description SV_Remote

network-object host ewjcx025

network-object host ejctxweb01

network-object host ewjcx028

network-object host ewjcx029

network-object host ewjcx030

network-object host ewjcx031

network-object host ewjcx032

network-object host Citrix2

network-object host Camelot

network-object host Citrix10

network-object host snsnas01

network-object host 10.101.20.28

network-object host peoplesoft

network-object host MSSCITRX01

network-object host MSSCITRX02

network-object host 10.126.0.54

network-object host 10.30.16.23

network-object host 10.30.16.24

network-object host 10.32.2.108

network-object host 10.32.2.129

network-object host 10.32.2.135

network-object host ewjcx035

network-object host ewjcx036

network-object host ewjcx037

network-object host ewjcx034

network-object host mordor4

network-object host snsiis01

network-object host ewjfs004

network-object host vampire

network-object host mordor

network-object host 10.7.16.159

network-object host Lycan

network-object host mercury

network-object host PrevIntranet

network-object host tarheel

network-object host 10.7.17.44

network-object host 10.7.20.27

network-object host excalibur

network-object Beaumont_Net 255.255.240.0

network-object host 10.7.16.9

access-list outside_access_in extended permit ip any any

access-list outside_cryptomap extended permit ip object-group SV_Local object-group SV_Remote

access-list inside_nat0_outbound extended permit ip 10.127.35.128 255.255.255.192 object-group SV_Remote

pager lines 24

logging enable

logging timestamp

logging trap debugging

logging asdm informational

logging facility 22

logging host inside 10.7.20.27

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication http console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http Beaumont_Net 255.255.240.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer 204.44.160.161

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 1 set security-association lifetime seconds 28800

crypto map outside_map0 1 set security-association lifetime kilobytes 4608000

crypto map outside_map0 interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh 10.127.35.128 255.255.255.192 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd lease 28800

!

dhcpd address 10.127.35.140-10.127.35.150 inside

dhcpd dns vampire Camelot interface inside

dhcpd enable inside

!

vpnclient server xxx.xx.xxx.xxx

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup hc password xxxxxx

vpnclient username hc password xxxxxx

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 64.250.229.100 source outside

username xxxxxxxx password xxxxxxxx encrypted

username xxxxxxxx password xxxxxxxx encrypted privilege 15

username xxxxxxxx password xxxxxxxx encrypted privilege 15

tunnel-group xxx.xx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xx.xxx.xxx ipsec-attributes

pre-shared-key x

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Correct Answer
manisharora111 Wed, 06/27/2012 - 12:35

The issue with the unable to reach ( ssh or https ) the External IP but still able to ping suggests a duplicate IP address assignment by your provider in that building. The arp expiration for the ASA causes you to losse SSH access but at the same time lets you ping the device holding that same IP, now when someone from behind the ASA initiates any external connection the ASA refreshes the ARP on the upstream device and everything starts to work normally.

Now, all above is what I am thinking , i might be wrong ;-). Please have your admin look for Mac address ( arp -cache ) when you firewall is not responding to SSH but only to ping and see if it matches your ASA external interface MAC.

Thanks

Manish

jeffnagel102 Fri, 06/29/2012 - 11:41

That was it!    The admin at the site gave me another external IP for the outside interface of our ASA and the connection has been stable for the last day.  With the new IP on our ASA I was able to ping the old IP so they obviously have something else on their network with that same IP.

Thanks for the help.

Jeff

Actions

Login or Register to take actions

This Discussion

Posted June 26, 2012 at 1:59 PM
Stats:
Replies:6 Avg. Rating:5
Views:809 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard