Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

887V - ASA55xx VPN Tunnel fails irregular

Hi support NG,

i've got two vpn tunnels configured, on both i've got the problem that the vpn connectivity breaks every so often.

this at irregular times, there is no timming pattern.

As i've got 3 ip sla's configured monitoring it as follows:

887V -- IPSec-Tun-- ASA5510     Site A                              IP SLA 1

887V -- IPSec-Tun-- ASA5505     Site B                              IP SLA 3

887V ------------------------------------> Public DNS Server       IP SLA 2

tracker 1 and 3 time-out regularly, where tracker 2, the public dns server stays up all the time.

so i assume it will be something wrong with the isakmp timers/keepalives.

887V

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key SECRET address XX.XX.XX.XX
crypto isakmp key SECRET address XX.XX.XX.19
crypto isakmp keepalive 15 periodic

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac


crypto map crypto_map_outside 10 ipsec-isakmp  !/SITE A
set peer XX.XX.XX.XX
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA ESP-3DES-MD5
match address 100

crypto map crypto_map_outside 20 ipsec-isakmp  !/SITE B
set peer XX.XX.XX.19
set security-association lifetime seconds 86400
set security-association idle-time 86400
set transform-set ESP-3DES-SHA ESP-3DES-MD5
match address 120


track 1 ip sla 1
delay down 1 up 1
!
track 2 ip sla 2
delay down 1 up 1
!
track 3 ip sla 3
delay down 1 up 1


ip sla logging traps

ip sla 1
icmp-echo 10.XX.X.X source-ip 192.168.1.XX
tag VPNxxxxx SITE A
frequency 5
history hours-of-statistics-kept 25
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo XX.XX.X.10 source-interface Dialer1
tag Public-DNS-Server-reachability
frequency 5
history hours-of-statistics-kept 25
ip sla schedule 2 life forever start-time now

ip sla 3
icmp-echo 192.168.X.XX source-ip 192.168.1.XX
tag VPNxxxxxx SITE B
frequency 5
history hours-of-statistics-kept 25
ip sla schedule 3 life forever start-time now

ip sla reaction-configuration 1 react timeout threshold-type immediate action-type trapOnly
ip sla reaction-configuration 2 react timeout threshold-type immediate action-type trapOnly
ip sla reaction-configuration 3 react timeout threshold-type immediate action-type trapOnly

ip sla enable reaction-alerts


=======================================================================================

887

#sh logg | i ->
Sep 15 21:13:58.527: %TRACKING-5-STATE: 3 ip sla 3 state Up->Down
Sep 15 21:14:03.527: %TRACKING-5-STATE: 3 ip sla 3 state Down->Up
Sep 15 21:24:48.870: %TRACKING-5-STATE: 3 ip sla 3 state Up->Down
Sep 15 21:24:53.870: %TRACKING-5-STATE: 3 ip sla 3 state Down->Up

#sh logg | i ->D
Sep 15 13:27:07.526: %TRACKING-5-STATE: 3 ip sla 3 state Up->Down
Sep 15 13:28:12.560: %TRACKING-5-STATE: 3 ip sla 3 state Up->Down
Sep 15 13:31:27.663: %TRACKING-5-STATE: 3 ip sla 3 state Up->Down
Sep 15 13:37:02.867: %TRACKING-5-STATE: 3 ip sla 3 state Up->Down
Sep 15 13:49:53.309: %TRACKING-5-STATE: 3 ip sla 3 state Up->Down
Sep 15 15:18:36.327: %TRACKING-5-STATE: 1 ip sla 1 state Up->Down
Sep 15 16:06:17.977: %TRACKING-5-STATE: 3 ip sla 3 state Up->Down
Sep 15 16:18:03.389: %TRACKING-5-STATE: 1 ip sla 1 state Up->Down
Sep 15 18:05:42.074: %TRACKING-5-STATE: 3 ip sla 3 state Up->Down
Sep 15 18:22:37.653: %TRACKING-5-STATE: 1 ip sla 1 state Up->Down
Sep 15 18:24:52.753: %TRACKING-5-STATE: 3 ip sla 3 state Up->Down

=======================================================================================

debug crypto isakmp / ipsec

Sep 15 18:24:50.633: ISAKMP (2022): received packet from xx.xx.xx.19 dport 500 sport 500 Global (R) QM_IDLE
Sep 15 18:24:50.633: ISAKMP: set new node 1694007463 to QM_IDLE
Sep 15 18:24:50.633: ISAKMP:(2022): processing HASH payload. message ID = 1694007463
Sep 15 18:24:50.637: ISAKMP:(2022): processing NOTIFY DPD/R_U_THERE protocol 1
Sep 15 18:24:50.637: ISAKMP:(2022):deleting node 1694007463 error FALSE reason "Informational (in) state 1"
Sep 15 18:24:50.637: ISAKMP:(2022):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 15 18:24:50.637: ISAKMP:(2022):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Sep 15 18:24:50.637: ISAKMP:(2022):DPD/R_U_THERE received from peer xx.xx.xx.100, sequence 0x2DEDB07E
Sep 15 18:24:50.637: ISAKMP: set new node 1209340899 to QM_IDLE
Sep 15 18:24:50.637: ISAKMP:(2022):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
Sep 15 18:24:50.637: ISAKMP:(2022): seq. no 0x2DEDB07E
Sep 15 18:24:50.637: ISAKMP:(2022): sending packet to xx.xx.xx.19 my_port 500 peer_port 500 (R) QM_IDLE
Sep 15 18:24:50.637: ISAKMP:(2022):Sending an IKE IPv4 Packet.
Sep 15 18:24:50.637: ISAKMP:(2022):purging node 1209340899
Sep 15 18:24:50.637: ISAKMP:(2022):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 15 18:24:50.637: ISAKMP:(2022):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Sep 15 18:25:40.639: ISAKMP:(2022):purging node 1694007463

to me, its looks like isakmp timers running out, and then rekeying.

the thing is that i've got complaints from people working at the 887V site accessing a citrix session on a server based in Site A that the are loosing their connection every so often..

thank you

Everyone's tags (5)
638
Views
0
Helpful
0
Replies
CreatePlease to create content