ASA 5505 l2l VPN Dropping

robfinger · ‎01-12-2012

I have a l2l vpn tunnel set up between 2 different sites. The configs are very basic and I just used the wizard to set up the tunnel config on both ends. I have been around and around with TAC and the ISP but I can't seem to figure out what is going on. The problem is that the tunnel drops every

6h:48m:32s right on the dot. The tunnel is rebuilt right away but everyone at the remote side are kicked out of their apps. I can post the config if necessary but I have not done that before so I would need some time to take out all the important information. The ISP says that they don't think it is there problem. I have talked to several TAC engineers and we have changed the Phase 1 and Phase 2 timers without any difference in the dropping time. I have also disabled the keep alives that did not help either.

I have set up a ping to both ip's and they continue to ping eventhough the tunnel drops so I believe the ISP that it might not be their issue. Any suggestions would be helpful.

My last resort is to maybe redo the DftGrpPolicy to see if maybe that is corrupt.

Thanks,

Rob

cflory · ‎01-12-2012

A config would probably help, but more importantly, what do your logs tell you everytime it drops on the 6h:48m:32s interval? Debugging level logs would be preferred.

I'm assuming this is an ASA 5505 on each end of the tunnel?

robfinger · ‎01-13-2012

This is the message I get:

%ASA-4-113019: Group = IPAddressofsite, Username = IPAddressofsite, IP = IPAddressofsite, Session disconnected. Session Type: LAN-to-LAN, Duration: 6h:48m:32s, Bytes xmt: 56567420, Bytes rcv: 31402977, Reason: Lost Service

mvsheik123 · ‎01-13-2012

Please check the below post. Is this the change suggested by TAC engineer? If not you can try this..

https://supportforums.cisco.com/thread/2101175

hth

MS

robfinger · ‎01-15-2012

Yes we did change the keep alive settings at one point. When we disabled them the remote end never knew the tunnel dropped and I would have to go in and logout the tunnel for the users to be able to do their work. Not a good situation. I enabled them again so that I don't get 2 - 3 calls a day to log out the tunnel.

robfinger · ‎01-15-2012

Here is the config off the main site asa. They are pretty much the same on both sides except for the obvious ip changes like interfaces and networks.

names

name 192.168.2.0 OP-Network

name 172.16.10.0 VPN-Network

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address MainSiteIP

!

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network VPN-Network

subnet 172.16.10.0 255.255.255.240

object network OP-Network

subnet 192.168.2.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 object VPN-Network

access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 object OP-Network

access-list outside_cryptomap_dyn_20 extended permit ip any object VPN-Network

access-list kneegroup_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object OP-Network

access-list capo extended permit ip host LocalIP host RemoteIP

access-list capo extended permit ip host RemoteIP host LocalIP

access-list outside_access_in extended permit icmp any host LocalIP

pager lines 24

logging enable

logging trap debugging

logging asdm debugging

logging host inside 192.168.1.55

logging class vpn trap debugging

mtu inside 1500

mtu outside 1500

arp timeout 14400

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static VPN-Network VPN-Network route-lookup

nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static VPN-Network VPN-Network no-proxy-arp inactive

nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static OP-Network OP-Network no-proxy-arp

!

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 OutsideIP 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer RemoteIP

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto ikev1 enable outside

crypto ikev1 policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 40

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

webvpn

group-policy DfltGrpPolicy attributes

dns-server value 4.2.2.2

vpn-idle-timeout none

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value kneegroup_splitTunnelAcl

group-policy OP_Amh_Tunnel_GP internal

group-policy OP_Amh_Tunnel_GP attributes

vpn-tunnel-protocol ikev1

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 30 retry 2

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 30 retry 2

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group (outside) LOCAL

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 30 retry 2

tunnel-group kneegroup type remote-access

tunnel-group kneegroup general-attributes

address-pool mypool

authentication-server-group (outside) LOCAL

tunnel-group kneegroup ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 30 retry 2

tunnel-group RemoteIP type ipsec-l2l

tunnel-group RemoteIP general-attributes

default-group-policy OP_Amh_Tunnel_GP

tunnel-group RemoteIP ipsec-attributes

ikev1 pre-shared-key *****

ajay chauhan · ‎01-16-2012

Hi,

Can you also try to configure command -vpn-session-timeout none under group-policy ? and see if any diffrence.

Thanks

Ajay

robfinger · ‎01-16-2012

I have done that already. There is not any timeout/rekey or lifetime that is associated with the 6 hours 48 min and 32 seconds. I can see if the tunnel is randomly dropping but I can predict it to the second!

ajay chauhan · ‎01-16-2012

Hi Robert,

How many phase-1 policies do you have configured on remote end. Just wondering which one is being negotiated. I would not configure life time but leave on default.

If i calculate the value which you have given comes across = 6x60x60 + 48x60 + 32 = 24512 .

crypto isakmp sa detail will tell which policy is being used for L2L.

Thanks

Ajay

Pam Walsh · ‎09-08-2013

Have you found the solution to this problem?
I have 4 ASA 5505's with tunnels between all of them. ONE of the 4 ASA's is rebuilding its 3 tunnels every 12 hours.

It is giving exactly the same message that Robert Finger posted EXCEPT that my tunnels are being reset every 12 hours.

%ASA-4-113019: Group = IPAddressofsite, Username = IPAddressofsite, IP = IPAddressofsite, Session disconnected. Session Type: LAN-to-LAN, Duration: 12h:00m:32s, Bytes xmt: 56567420, Bytes rcv: 31402977, Reason: Lost Service

This just started ~1 month ago. Up until that time the tunnels never timed out. NO configuration changes have been made, but the ASA was rebooted around that time. It is tempting to just restore the old saved config- BUT I want to know what is causing the problem.