Dear All;
I have problem with the Lan-to-Lan VPN tunnel.
the VPN working fines since 9 months ago without any problems.
Suddenly got the problem!
In last two days we faced problem the VPN down.
in first time the problem in phase-2.. but after that in phase-1... in latest no data packet received to their side.
We are not made any change on configuration for beginning..
My Cisco ASA 5505 and their side Cisco ASA 5540
Below in First the configuration from our side:
=========================================
access-list 202 extended permit ip host 20.1.1.2 host 10.1.1.5
access-list 202 extended permit ip host 20.1.1.2 host 10.1.1.6
access-list 202 extended permit ip host 20.1.1.2 host 10.1.1.7
access-list 202 extended permit ip host 20.1.1.3 host 10.1.1.5
access-list 202 extended permit ip host 20.1.1.3 host 10.1.1.6
access-list 202 extended permit ip host 20.1.1.3 host 10.1.1.7
crypto map rackmap 202 match address 202
crypto map rackmap 202 set peer 12.12.12.1
crypto map rackmap 202 set transform-set ESP-3DES-MD5
crypto map rackmap 202 set security-association lifetime seconds 28800
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
tunnel-group 12.12.12.1 type ipsec-l2l
tunnel-group 12.12.12.1 ipsec-attributes
pre-shared-key *********
=========================================
And now the configuration for their side:
=========================================
crypto map outside_map 81 match address outside_81_cryptomap
crypto map outside_map 81 set peer 11.11.11.1
crypto map outside_map 81 set transform-set ESP-3DES-MD5
crypto map outside_map 81 set security-association lifetime seconds 28800
crypto map outside_map 81 set security-association lifetime kilobytes 4608000
access-list outside_81_cryptomap extended permit ip object-group DM_INLINE_NETWORK_74 object-group DM_INLINE_NETWORK_75
access-list DMZ5_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_74 object-group DM_INLINE_NETWORK_75
object-group network DM_INLINE_NETWORK_74
network-object host 10.1.1.5
network-object host 10.1.1.6
network-object host 10.1.1.7
object-group network DM_INLINE_NETWORK_75
network-object host 20.1.1.2
network-object host 20.1.1.3
tunnel-group 11.11.11.1 type ipsec-l2l
tunnel-group 11.11.11.1 ipsec-attributes
pre-shared-key *****
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 110
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
=========================================
When trying to initiate the tunnel we got the below error:
Feb 12 2012 07:24:54: %ASA-7-715065: IP = 12.12.12.1, IKE MM Initiator FSM error history (struct &0xc5516d88) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Feb 12 2012 07:24:54: %ASA-7-713906: IP = 12.12.12.1, IKE SA MM:0ce19fb3 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Feb 12 2012 07:24:54: [IKEv1 DEBUG]: IP = 12.12.12.1, sending delete/delete with reason message
we triad to do ... re create the tunnel from beginning... and restart the firewall.. but all times we got the up error
Please advice and help me ASAP
Best Regards