Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA VPN duplicate entry

I am required to setup a L2L vpn tunnel on our ASA firewall to a 3rd Party that we need to access for administration (they won’t setup a remote access one), this needs to be accessible by engineers in the field so I have setup a remote access VPN for our engineers to connect to our firewall these then have access (hairpinning) over the L2L VPN to the 3rd Party.

 

The firewalls are ASA’s at both ends (I’ve no access to the 3rd parties ASA) ours is running 9.1(4).

 

The L2L VPN is for accessing PBX equipment, so although the L2L tunnel is bi-directional it is only ever initiated from our end.

 

The engineers remote access VPN’s connect without problem.

 

However there is a strange issue with the L2L VPN which I can’t find the cause of.

 

The first time the L2L VPN is accessed (after an ASA reboot or it’s left for a day or so) all is well, (a remote access VPN user tries to connect to the PBX equipment, it brings the L2L tunnel up and they can access the remote equipment no problem).

 

However when the remote access user disconnects and the L2L tunnel is left unused it drops after approx 30 mins, if a user then tries to connect again soon after it won’t bring the L2L tunnel up.

 

(I thought it might be a bug but I’ve tried it on 8.4(2), 8.4(4) and 9.1(4) and the issue is the same on all versions).

 

A debug of what happens when a remote access VPN user tries to bring the L2L VPN up and it fails is below……

 

ASA# debug crypto ike-common 255

ASA# debug crypto ipsec 255   

ASA# debug crypto ikev2 prot 255

ASA# debug crypto ikev2 plat 255

ASA# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873

IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.

IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.

IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.

Mar 15 17:37:31 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873

IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.

IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.

IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.

Mar 15 17:37:34 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873

IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.

IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.

IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.

Mar 15 17:37:40 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

 

 

The VPN settings for the L2L VPN and Remote access VPN from our ASA are shown below….

 

Site to Site tunnel VPN settings….

 

same-security-traffic permit intra-interface

 

object network Remote-ASA

 host 217.x.x.x

 

object network RA-VPN-local

 subnet 10.10.222.0 255.255.255.0

 

object network Remote-servers

 subnet 10.200.222.0 255.255.255.0

 

access-list Security-ACL extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0

access-list Security-ACL extended permit ip 10.200.222.0 255.255.255.0 10.10.222.0 255.255.255.0

 

access-list Interesting-traffic extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0

 

nat (outside,outside) source static RA-VPN-local RA-VPN-local destination static Remote-servers Remote-servers no-proxy-arp route-lookup

 

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1

 

crypto map map002 3 match address Interesting-traffic

crypto map map002 3 set peer Remote-ASA

crypto map map002 3 set ikev2 ipsec-proposal AES256

crypto map map002 interface outside

 

crypto ikev2 policy 1

 encryption aes-256

 integrity sha

 group 5    

 prf sha    

 lifetime seconds 28800

 

crypto ikev2 enable outside

 

group-policy L2L-policy internal

group-policy L2L-policy attributes

 vpn-filter value Security-ACL

 vpn-tunnel-protocol ikev2

 

tunnel-group 217.x.x.x type ipsec-l2l

tunnel-group 217.x.x.x general-attributes

 default-group-policy L2L-policy

tunnel-group 217.x.x.x ipsec-attributes

 isakmp keepalive threshold infinite

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

 

 

Remote access VPN settings….

 

ip local pool pool-4 10.10.222.1-10.10.222.100 mask 255.255.255.0

 

access-list Split_Tunnel standard permit 10.200.222.0 255.255.255.0

 

crypto ipsec ikev1 transform-set anno3DESSHA esp-3des esp-sha-hmac

 

crypto dynamic-map anno 10 set pfs group1

crypto dynamic-map anno 10 set ikev1 transform-set anno3DESSHA

crypto dynamic-map anno 10 set security-association lifetime seconds 3600

crypto dynamic-map anno 10 set security-association lifetime kilobytes 4608000

 

crypto map map002 70 ipsec-isakmp dynamic anno

crypto map map002 interface outside

 

crypto ikev1 enable outside

 

crypto ikev1 policy 1

 authentication pre-share

 encryption 3des

 hash sha   

 group 2    

 lifetime 86400

 

group-policy RA-VPN-Group internal

group-policy RA-VPN-Group attributes

 vpn-tunnel-protocol ikev1

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Split_Tunnel

 

tunnel-group RA-VPN-Tunnel type remote-access

tunnel-group RA-VPN-Tunnel general-attributes

 address-pool pool-4

 authentication-server-group RAD LOCAL

 default-group-policy RA-VPN-Group

tunnel-group RA-VPN-Tunnel ipsec-attributes

 ikev1 pre-shared-key *****

 

 

Can anyone give me some clues?

2 REPLIES
New Member

 If it helps anyone the fix

 

If it helps anyone the fix for this was to add the command.... crypto isakmp disconnect-notify   at both ends.

New Member

I had the same issue and this

I had the same issue and this fixed it for me. thanks Mike.

5493
Views
5
Helpful
2
Replies