04-02-2014 05:55 PM
I have a VPN created between 2 ASA 5505 firewalls. We had a stable VPN but when we switched internet providers the VPN drops and the internet stays up. We had a Cisco vendor configure this for us but they are not helping. We keep getting this error on the main location in the SYSlog:
Main Site error
04-02-2014 19:20:02 Local4.Error 192.168.100.1 %ASA-3-713214: Group = 40.140.34.234, IP = 40.140.34.234, Could not delete route for L2L peer that came in on a dynamic map. address: 192.168.110.0, mask: 255.0.0.0
Remote site error:
04-02-2014 16:43:38 Local4.Error 192.168.110.1 %ASA-3-713123: Group = 173.166.188.140, IP = 173.166.188.140, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
I am not sure why this keeps happening. Any help would be great.
04-02-2014 10:56 PM
Hi,
Can you check the following points before proceeding further.
1) are you able to ping other side vpn peer ip address ?
2) If Internet Service providers are changed, then Public IP also would change. So did you change any configuration for VPN ?
04-03-2014 09:15 AM
Yes able to ping other side. Yes added new ip addresses for VPN from internet provider.
04-03-2014 12:32 AM
It sounds like there is a mismatch in the configuration. See the first error "mask: 255.0.0.0" Not common to use class A mask for a VPN. I have seen it done before, but as I said not common. Make sure the phase 1 and phase 2 configurations match and that the crypto ACLs are and exact mirror image of each other.
Also, from the looks of it, the remote site has a dynamic public IP?
1. Check that the crypto ACLs are a mirror image of each other
2. Check that the crypto isakmp policy is the same at both ends. If you have more than 1 policy configured then just make sure that atleast one of the policies are the same at both ends. It works on a first match basis from top to botom.
3. Make sure that the transform-set is the same at both ends
4. Make sure that the preshared key is configured the same at both ends
5. If you have split tunneling configured, make sure that the correct destination IP is configured at both ends.
If you want help with checking this, please post a full running configuration of both ends of the tunnel (sanitised).
--
Please remember to rate and select a correct answer
04-03-2014 08:52 AM
Do the names have to match on the policies? Would that cause it to drop?
04-04-2014 12:34 AM
No, Policy names are locally significant. What would make a drop is a mismatch in the IKE phase 1 configuration (the isakmp policy), and / or a mismatch in the IPsec phase 2 configuration (transform set, crypto ACL and crypto map).
If you post the configuration from the devices at both ends of the tunnel, we can help you better in troubleshooting this.
--
Please remember to rate and select a correct answer
04-04-2014 01:48 PM
04-04-2014 01:49 PM
04-05-2014 07:19 AM
Without seeing the remote side configuration it is difficult to see if there are any other mismatches but the crypto ACL is incorrect in the config that you posted in relation to the error you posted:
access-list Comcast_cryptomap_1 extended permit ip 192.168.100.0 255.255.255.0 host 192.168.110.0
you have defined the remote network as a host...unless the remote network is subneted in such a way that 192.168.110.0 is actually a host address then this needs to be changed to the following:
access-list Comcast_cryptomap_1 extended permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0
Change that and then test. Let me know how it goes.
--
Please remember to rate and select a correct answer
04-07-2014 06:42 AM
04-07-2014 07:10 AM
You have no crypto map configuration that matches your remote peer IP of 40.140.34.234. Correct this, and then we will take it from there.
crypto map mytell_map 1 set peer 209.251.35.154
crypto map mytell_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map mytell_map 2 match address Comcast_cryptomap_1
crypto map mytell_map 2 set peer 74.211.225.226
crypto map mytell_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map mytell_map 65535 ipsec-isakmp dynamic mytell_dyn_map
crypto map mytell_map interface mytell
crypto map mytell_map interface Comcast
--
Please remember to rate and select a correct answer
04-07-2014 07:24 AM
Should I type this is in as a command in putty? on the remote side or the main location???
04-07-2014 07:38 AM
04-07-2014 07:42 AM
We do not have a Mytel connection anymore. The main site has comcast and the remote site has Windstream. Why would we do anything with the Mytel connection if it is not available.
04-07-2014 08:13 AM
Who said anything about doing something with the Mytel connection?
the Mytel crypto map...and not connection. These are two different things.
Since you already have configuration on the Mytel crypto map and it is assigned to the Comcast interface, chances are that these configuration are in use, but I don't know this. You will need to take a look and decide for yourself if you want to apply another cryptomap with a more appropriate name to the Comcast interface.
crypto map mytell_map interface Comcast
The following is the configuration I suggest you make:
crypto map mytell_map 3 match address Comcast_cryptomap_1
crypto map mytell_map 3 set peer 40.140.34.234
crypto map mytell_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: