cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2431
Views
0
Helpful
2
Replies

cisco asa IPSEC/L2TP Vpn hang after some time

Nikhil Patil
Level 1
Level 1

Hi,

            I have a Cisco ASA 5505 Firewall. I am using windows VPN.

            I have configure IPSEC/L2TP Vpn. And now i hv some problem..

            1) VPN is connected but  I notices that VPN client connection gets in "HANG" mode after couple of minutes.

           2) I am getting error when i try to connect my SQL Server (windows 2008)

               (vpn client is on XP machine.)

              Error log is...

4Jul 14 201116:33:25115.240.87.71Router-Outside.IPSEC: Received an ESP packet (SPI= 0x6065CE8C, sequence number= 0x5D0) from 1.2.8.7 (user= test) to Router-Outside. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 255.255.255.255, its source as 1.2.8.7, and its protocol as udp. The SA specifies its local proxy as Router-Outside/255.255.255.255/udp/42246 and its remote_proxy as 1.2.8.7/255.255.255.255/udp/42246.

following is the startup config

Result of the command: "show start"

: Saved

: Written by enable_15 at 16:53:11.457 IST Thu Jul 14 2011

!

ASA Version 8.2(5)

!

hostname ciscoasa

dns-guard

!

interface Ethernet0/0

switchport access vlan 337

switchport trunk allowed vlan 337

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 20

!

interface Vlan1

nameif inside

security-level 50

ip address *.*.*.*  255.255.255.0

!

interface Vlan20

nameif DMZ

security-level 50

ip address *.*.*.*  255.255.0.0

!

interface Vlan337

nameif outside

security-level 0

ip address Router-Outside 255.255.255.252

!

regex contenttype "Content-Type "

regex applicationheader "application/.*"

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone IST 5 30

dns domain-lookup inside

dns server-group DefaultDNS

name-server Sg

domain-name ****.***

same-security-traffic permit inter-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network Trusted-Users

access-list inside_access_out extended permit gre any any

access-list inside_access_out extended permit tcp any any eq pptp

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit tcp any any eq pptp

access-list outside_access_in extended permit tcp any host Development-ext object-group RDP inactive

access-list outside_access_in extended permit ip *.*.*.* 255.255.255.0 any

access-list outside_access_in remark outside to DMZ access

access-list outside_access_in extended permit ip any interface DMZ

access-list outside_access_out extended permit gre any any

access-list outside_access_out extended permit tcp any any eq pptp

access-list outside_access_out extended permit ip interface outside any

access-list inside_access_in extended permit ip *.*.*.*  255.255.255.0 any

access-list inside_access_in remark inside to DMZ access

access-list inside_access_in extended permit ip interface inside interface DMZ

access-list inside_access_in extended permit tcp any any eq pptp

access-list inside_access_in extended permit gre any any

access-list inside_mpc extended permit object-group TCPUDP any any eq www

access-list inside_mpc_1 extended permit object-group TCPUDP object-group Trusted-Users any eq www

access-list inside_mpc_1 extended permit tcp object-group Trusted-Users any eq https

access-list DMZ_access_in remark DMZ to inside access

access-list DMZ_access_in extended permit ip interface DMZ interface inside

access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.192

pager lines 24

logging enable

logging asdm warnings

logging from-address noreply@****.net

logging recipient-address cisco@cisco.com level errors

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

ip local pool vpn-pool 192.168.50.1-192.168.50.60 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-643.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 *.*.*.*  255.255.255.0

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group DMZ_access_in in interface DMZ

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

route outside 0.0.0.0 0.0.0.0 *.*.*.*

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection preserve-vpn-flows

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set trans esp-3des esp-sha-hmac

crypto ipsec transform-set trans mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dyno 10 set transform-set trans

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map vpn 20 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 1500

no vpn-addr-assign dhcp

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

l2tp tunnel hello 100

dhcpd dns Sg-dc1-int *.*.*.*  interface inside

!

dhcpd dns Sg-dc1-int *.*.*.* interface outside

!

dhcprelay server *.*.*.* inside

dhcprelay server Sg-dc1-int inside

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable outside

group-policy DfltGrpPolicy attributes

dns-server value *.*.*.* *.*.*.*

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec

default-domain value spheregen.net

group-policy sales_policy internal

group-policy sales_policy attributes

vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

address-pool vpn-pool

default-group-policy sales_policy

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 3600 retry 2

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group sales-tunnel type remote-access

tunnel-group sales-tunnel general-attributes

address-pool vpn-pool

tunnel-group sales-tunnel ppp-attributes

authentication ms-chap-v2

!

class-map Unblock

match access-list inside_mpc_1

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-all AppHeaderClass

match response header regex contenttype regex applicationheader

class-map httptraffic

match access-list inside_mpc

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect http http_inspection_policy

parameters

protocol-violation action drop-connection

match request method connect

drop-connection log

class AppHeaderClass

drop-connection log

class BlockDomainsClass

reset log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect pptp

policy-map inside-policy

class Unblock

inspect http

class httptraffic

inspect http http_inspection_policy

!

service-policy global_policy global

service-policy inside-policy interface inside

smtp-server *.*.*.*

prompt hostname

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4f7f77b564f454834351eee7a77394b7

2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Nikhil,

Is the VPN hanging on client or server?

Or in ither words, is the connection up and running when you experience the hang? (Coincidentally 5 minutes is xauth timeout - by default)

Second problem you're reporting is indicating that the packet was not properly encapsulated on the client side. Does it only happen when you're connecting to that server?

Marcin

Nikhil Patil
Level 1
Level 1

Its solved.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: