cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
839
Views
0
Helpful
16
Replies

ASA 5505 VPN Connection failure

blichtig19738
Level 1
Level 1

I have a VPN created between 2 ASA 5505 firewalls. We had a stable VPN but when we switched internet providers the VPN drops and the internet stays up. We had a Cisco vendor configure this for us but they are not helping. We keep getting this error on the main location in the SYSlog:

 

 

Main Site error

04-02-2014    19:20:02    Local4.Error    192.168.100.1    %ASA-3-713214: Group = 40.140.34.234, IP = 40.140.34.234, Could not delete route for L2L peer that came in on a dynamic map. address: 192.168.110.0, mask: 255.0.0.0

 

Remote site error:

04-02-2014    16:43:38    Local4.Error    192.168.110.1    %ASA-3-713123: Group = 173.166.188.140, IP = 173.166.188.140, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

 

 

I am not sure why this keeps happening. Any help would be great.

16 Replies 16

mohaneternal
Level 1
Level 1

Hi,

Can you check the following points before proceeding further.

1) are you able to ping other side vpn peer ip address ?

2) If Internet Service providers are changed, then Public IP also would change. So did you change any configuration for VPN ?

 

Yes able to ping other side. Yes added new ip addresses for VPN from internet provider.

 

 

It sounds like there is a mismatch in the configuration.  See the first error "mask: 255.0.0.0" Not common to use class A mask for a VPN. I have seen it done before, but as I said not common.  Make sure the phase 1 and phase 2 configurations match and that the crypto ACLs are and exact mirror image of each other.

Also, from the looks of it, the remote site has a dynamic public IP?

1. Check that the crypto ACLs are a mirror image of each other

2. Check that the crypto isakmp policy is the same at both ends.  If you have more than 1 policy configured then just make sure that atleast one of the policies are the same at both ends. It works on a first match basis from top to botom.

3. Make sure that the transform-set is the same at both ends

4. Make sure that the preshared key is configured the same at both ends

5. If you have split tunneling configured, make sure that the correct destination IP is configured at both ends.

 

If you want help with checking this, please post a full running configuration of both ends of the tunnel (sanitised).

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

blichtig19738
Level 1
Level 1

Do the names have to match on the policies? Would that cause it to drop?

 

No, Policy names are locally significant.  What would make a drop is a mismatch in the IKE phase 1 configuration (the isakmp policy), and / or a mismatch in the IPsec phase 2 configuration (transform set, crypto ACL and crypto map).

If you post the configuration from the devices at both ends of the tunnel, we can help you better in troubleshooting this.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

I can not get to the other side of the VPN but here are the screen shots of the VPN policies and the config from the main location. Can you shed any light on this?

 

 

Config file sorry

Without seeing the remote side configuration it is difficult to see if there are any other mismatches but the crypto ACL is incorrect in the config that you posted in relation to the error you posted:

access-list Comcast_cryptomap_1 extended permit ip 192.168.100.0 255.255.255.0 host 192.168.110.0

you have defined the remote network as a host...unless the remote network is subneted in such a way that 192.168.110.0 is actually a host address then this needs to be changed to the following:

access-list Comcast_cryptomap_1 extended permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0

Change that and then test.  Let me know how it goes.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

I put the command in:access-list Comcast_cryptomap_1 extended permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0

 

It do not help the connection get started.Attached is the other side of the VPN config file. Any help would be greatly appreciated.

You have no crypto map configuration that matches your remote peer IP of 40.140.34.234.  Correct this, and then we will take it from there.

crypto map mytell_map 1 set peer 209.251.35.154

crypto map mytell_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map mytell_map 2 match address Comcast_cryptomap_1

crypto map mytell_map 2 set peer 74.211.225.226

crypto map mytell_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map mytell_map 65535 ipsec-isakmp dynamic mytell_dyn_map

crypto map mytell_map interface mytell

crypto map mytell_map interface Comcast

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Should I type this is in as a command in putty? on the remote side or the main location???

 

 

This should be enter on the main site. Create another crypto map entry under the mytell crypto map and then set the transformset, match the crypto ACL, set the per IP address to 40.140.34.234 and you should be good to go. -- Please remember to rate and select a correct answer
--
Please remember to select a correct answer and rate helpful posts

We do not have a Mytel connection anymore. The main site has comcast and the remote site has Windstream. Why would we do anything with the Mytel connection if it is not available.

Who said anything about doing something with the Mytel connection?

the Mytel crypto map...and not connection.  These are two different things.

Since you already have configuration on the Mytel crypto map and it is assigned to the Comcast interface, chances are that these configuration are in use, but I don't know this.  You will need to take a look and decide for yourself if you want to apply another cryptomap with a more appropriate name to the Comcast interface.

crypto map mytell_map interface Comcast

The following is the configuration I suggest you make:

crypto map mytell_map 3 match address Comcast_cryptomap_1

crypto map mytell_map 3 set peer 40.140.34.234

crypto map mytell_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: