01-12-2012 04:01 PM
I have a l2l vpn tunnel set up between 2 different sites. The configs are very basic and I just used the wizard to set up the tunnel config on both ends. I have been around and around with TAC and the ISP but I can't seem to figure out what is going on. The problem is that the tunnel drops every
6h:48m:32s right on the dot. The tunnel is rebuilt right away but everyone at the remote side are kicked out of their apps. I can post the config if necessary but I have not done that before so I would need some time to take out all the important information. The ISP says that they don't think it is there problem. I have talked to several TAC engineers and we have changed the Phase 1 and Phase 2 timers without any difference in the dropping time. I have also disabled the keep alives that did not help either.
I have set up a ping to both ip's and they continue to ping eventhough the tunnel drops so I believe the ISP that it might not be their issue. Any suggestions would be helpful.
My last resort is to maybe redo the DftGrpPolicy to see if maybe that is corrupt.
Thanks,
Rob
01-12-2012 07:38 PM
A config would probably help, but more importantly, what do your logs tell you everytime it drops on the 6h:48m:32s interval? Debugging level logs would be preferred.
I'm assuming this is an ASA 5505 on each end of the tunnel?
01-13-2012 07:26 AM
This is the message I get:
%ASA-4-113019: Group = IPAddressofsite, Username = IPAddressofsite, IP = IPAddressofsite, Session disconnected. Session Type: LAN-to-LAN, Duration: 6h:48m:32s, Bytes xmt: 56567420, Bytes rcv: 31402977, Reason: Lost Service
01-13-2012 08:00 AM
Please check the below post. Is this the change suggested by TAC engineer? If not you can try this..
https://supportforums.cisco.com/thread/2101175
hth
MS
01-15-2012 09:21 PM
Yes we did change the keep alive settings at one point. When we disabled them the remote end never knew the tunnel dropped and I would have to go in and logout the tunnel for the users to be able to do their work. Not a good situation. I enabled them again so that I don't get 2 - 3 calls a day to log out the tunnel.
01-15-2012 09:24 PM
Here is the config off the main site asa. They are pretty much the same on both sides except for the obvious ip changes like interfaces and networks.
names
name 192.168.2.0 OP-Network
name 172.16.10.0 VPN-Network
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address MainSiteIP
!
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network VPN-Network
subnet 172.16.10.0 255.255.255.240
object network OP-Network
subnet 192.168.2.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 object VPN-Network
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 object OP-Network
access-list outside_cryptomap_dyn_20 extended permit ip any object VPN-Network
access-list kneegroup_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object OP-Network
access-list capo extended permit ip host LocalIP host RemoteIP
access-list capo extended permit ip host RemoteIP host LocalIP
access-list outside_access_in extended permit icmp any host LocalIP
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging host inside 192.168.1.55
logging class vpn trap debugging
mtu inside 1500
mtu outside 1500
arp timeout 14400
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static VPN-Network VPN-Network route-lookup
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static VPN-Network VPN-Network no-proxy-arp inactive
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static OP-Network OP-Network no-proxy-arp
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 OutsideIP 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer RemoteIP
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
webvpn
group-policy DfltGrpPolicy attributes
dns-server value 4.2.2.2
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value kneegroup_splitTunnelAcl
group-policy OP_Amh_Tunnel_GP internal
group-policy OP_Amh_Tunnel_GP attributes
vpn-tunnel-protocol ikev1
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
tunnel-group kneegroup type remote-access
tunnel-group kneegroup general-attributes
address-pool mypool
authentication-server-group (outside) LOCAL
tunnel-group kneegroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 30 retry 2
tunnel-group RemoteIP type ipsec-l2l
tunnel-group RemoteIP general-attributes
default-group-policy OP_Amh_Tunnel_GP
tunnel-group RemoteIP ipsec-attributes
ikev1 pre-shared-key *****
01-16-2012 05:12 AM
Hi,
Can you also try to configure command -vpn-session-timeout none under group-policy ? and see if any diffrence.
Thanks
Ajay
01-16-2012 07:01 AM
I have done that already. There is not any timeout/rekey or lifetime that is associated with the 6 hours 48 min and 32 seconds. I can see if the tunnel is randomly dropping but I can predict it to the second!
01-16-2012 09:37 AM
Hi Robert,
How many phase-1 policies do you have configured on remote end. Just wondering which one is being negotiated. I would not configure life time but leave on default.
If i calculate the value which you have given comes across = 6x60x60 + 48x60 + 32 = 24512 .
crypto isakmp sa detail will tell which policy is being used for L2L.
Thanks
Ajay
09-08-2013 06:01 PM
Have you found the solution to this problem?
I have 4 ASA 5505's with tunnels between all of them. ONE of the 4 ASA's is rebuilding its 3 tunnels every 12 hours.
It is giving exactly the same message that Robert Finger posted EXCEPT that my tunnels are being reset every 12 hours.
%ASA-4-113019: Group = IPAddressofsite, Username = IPAddressofsite, IP = IPAddressofsite, Session disconnected. Session Type: LAN-to-LAN, Duration: 12h:00m:32s, Bytes xmt: 56567420, Bytes rcv: 31402977, Reason: Lost Service
This just started ~1 month ago. Up until that time the tunnels never timed out. NO configuration changes have been made, but the ASA was rebooted around that time. It is tempting to just restore the old saved config- BUT I want to know what is causing the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide