Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
0
Helpful
16
Replies

ASA 5505 VPN Connection failure

blichtig19738
Level 1
Level 1

‎04-02-2014 05:55 PM

I have a VPN created between 2 ASA 5505 firewalls. We had a stable VPN but when we switched internet providers the VPN drops and the internet stays up. We had a Cisco vendor configure this for us but they are not helping. We keep getting this error on the main location in the SYSlog:

 

 

Main Site error

04-02-2014    19:20:02    Local4.Error    192.168.100.1    %ASA-3-713214: Group = 40.140.34.234, IP = 40.140.34.234, Could not delete route for L2L peer that came in on a dynamic map. address: 192.168.110.0, mask: 255.0.0.0

 

Remote site error:

04-02-2014    16:43:38    Local4.Error    192.168.110.1    %ASA-3-713123: Group = 173.166.188.140, IP = 173.166.188.140, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

 

 

I am not sure why this keeps happening. Any help would be great.

Labels:
0 Helpful
16 Replies 16

blichtig19738
Level 1
Level 1

‎04-08-2014 09:48 AM

Can you look at these new config files? We had the VPN stable for about 24 hours and then it drops for 15 minutes and comes back up by itself. Can you give me exact instructions if I need to put a command in some where? Would Cisco support be able to resolve this sporadic up down VPN connection?

 

 

 

 

 

Preview file
81 KB
Preview file
59 KB
0 Helpful

Marius Gunnerud
VIP
VIP
In response to blichtig19738

‎04-09-2014 04:10 AM

Your configuration looks fine with regards to the VPN tunnel.

I believe the reason you experienced a drop is due to the rekey of ISAKMP, and the tunnel rebuilds itself once rekey is done and it sees interesting traffic and the timer starts again.  keep in mind that the timer starts from when the tunnel is built.  Has this happened often since getting the tunnel up? or just the one time?  15 minutes is a little long, I have normally only experience around 5 minutes of outage, but I have heard of times when it takes that long.

But all in all your configuration looks good.

I suggest having a look through your configuration and start removing any unneeded config as there seems to be some left over configuration from the Mytel connection.  For instance the mytel interface and the default route which points out the mytel interface.  I know it is not in use due to the higher configured metric, but worth doing a little spring cleaning.

Also I suggest removing the telnet configuration from both sites as this is an unsecure protocol and sends data in clear text. Ofcourse these are just suggestions and you may do as you see fit.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents