Cisco ASA 5505 Remote Access IP/Sec VPN Connectivity Issues

justinstore · ‎04-12-2012

We have a Cisco ASA that we use just for Remote Access VPN. It uses UDP and was working fine for about 2 months. Recently clients have had intermittent issues when connecting from home. The following message is display by the Cisco VPN Client :

"Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"

Upon looking at a client side packet capture, I notice that no response is being given back to the client for the udp packets sent to the ASA on udp 500. If I login to the ASA from the LAN and send a single ping FROM the ASA, then the client can connect without issue. I don't understand the significance of the needed outbound ping since ping is not used by the client to test if the ASA is alive.

Once again this is a remote access udp ip/sec VPN. I set most of it up with the VPN wizard and then backed up the config. The issue started happening at least a month after setup (maybe two) and I restored to the saved config just in-case, but the issue remains.

Any insight would be greatly appreciated.

I'm using IOS 831 and have tried 821 and 823 as one thread that I found recommended downgraded to 821.

Thanks much,

Justin

Javier Portuguez · ‎04-12-2012

Dear Justin,

Please set a packet-capture on the outside interface of the ASA when the issue occurs, as follows:

capture outside interface outside match udp host outside_ip any

Have the client connect and issue the following command:

show capture outside | inc 500

We need to confirm whether the ASA receives the packets or not.

On the other hand and just in case, turn on crypto debugging:

debug crypto isakmp 190

debug crypto ipsec 190

Please keep us posted.

Thanks.

justinstore · ‎04-17-2012

Javier,

I logged into the ASA last time the VPN went down. I issued the following commands:

debug crypto isakmp 190

debug crypto ipsec 190

capture outside-cap interface outside match udp any any

I then used a remote access tool to access the client and tried to connect. I got absolutely nothing from debugging. So I issued the following command:

show capture outside | include 500

and also got nothing. So I issued the following command:

ping 4.2.2.2

Upon which my normal deug messaged began to showup, so I issued the show capture outside command again and recieved the expected output below:

1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868

2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444

3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172

4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76

5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92

6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76

7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60

8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204

9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92

10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252

11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868

12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444

13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172

14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76

15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92

16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76

17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60

18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204

19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252

20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036

21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92

22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188

23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60

34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92

35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92

70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100

174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500

377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100    1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
   2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
   3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
   4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
   5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
   6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
   7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
   8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
   9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100

It would seem as if no traffic reached the ASA until some outbound traffic to an arbitrary public IP. In this case I sent an echo request to a public DNS server. It seems almost like a state-table issue although I don't know how ICMP ties in.

Once again, any insight would be greatly appreciated.

Thanks,

Justin

Javier Portuguez · ‎04-17-2012

Dear Justin,

Just to clarify, this connection is going to the ASA, correct? I mean, we are not talking about a pass-through VPN connection, right?

Could you please confirm this?

Thanks.

justinstore · ‎04-17-2012

Correct.

The ASA is directly connected to a cable modem (outside interface is a public IP) and it handles the VPN connections. Clients connect via the Cisco VPN Client from home. The ASA was purchased specifically to be the end-point to our IP/Sec tunnels for remote access.

-Justin

justinstore · ‎04-18-2012

I should note that sometimes the VPN comes back on it's own after a while, but it always begins responding after sending pings from the ASA to anywhere on the internet.

Any ideas? I'm almost considering writing a script to send pings every so often.

justinstore · ‎04-23-2012

Just thought I would update this.

I still haven't figured out the issue. I currently use cron to schedule a script to run on one of my Ubuntu boxes. The script logs in to the ASA via ssh and executes a ping command and then exits. This script runs every half hour and the VPN has not gone down since. I don't like this script for security and having my vpn dependent on a linux server.

We are a small company and have only a handful of VPN users, but I would like to get this issue resolved if anyone has any ideas.

-Justin

fionawang · ‎06-25-2012

Hi Justin,

I am now having exactly the same issue as yours.

May I ask if you got it solved?

Fiona

justinstore · ‎06-26-2012

No I haven't solved it. I just have a batch file that runs every 15 minutes that logs into the ASA and sends out a ping,

fionawang · ‎07-13-2012

Hi Justin,

You may try "isakmp keepalive disable" on ASA 5505 for remote access users.

It seems to fix my issue.

Fiona

Javier Portuguez · ‎07-13-2012

Justin,

In order to understand the issue, we would need to gather the logs from the ASA as well.

Most likely you will find something like this:

Session is being torn down. Reason: Lost Service

At this point we could conclude that there is connectivity issue and the easiest way to work around it is by disabling ISAKMP keepalives on the ASA.

The "debug crypto isakmp 190" and "debug crypto ipsec 190" will provide this information or the following log:

logging class vpn buffered debugging

no logging buffered debugging

clear logging

* This will only generate VPN logs.

Another troubleshooting step, is to connect the external interface of the ASA, the modem and a computer with the VPN client to a SW, then establish the connection from this computer (so it will not traverse thru the Internet), at this point you will isolate the issue to the Internet connection.

Please keep us posted.

Thanks.