Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

EZ VPN on ASA

We have an ASA 5505 that is configured for EZ VPN remote. If we assign it a static ip for its outside interface in our test lab, it stays up. When we take it out to the remote site, which has a FiOS connection with a dhcp address for the outside interface, it drops every hour. When we put a pix out there, it stays up. A sh crypto isakmp sa on the remote side shows a AM_WAIT_MSG2 (when the ASA is in place and the tunnel fails) I have to reboot the ASA, and then the tunnel will come back up. For an hour. Has anyone else seen this type of behavior? It has been very frustrating, and I have a tac case, but they said the configuration looks fine.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: EZ VPN on ASA

Today is your lucky day. I had this exact problem with my ASA5505 on my FiOS connection. Apparently Verizon will ping your device before it will allow you to request or renew your IP address. When your ASA first comes online they can ping it because you have ICMP enabled on the outside and the VPN tunnel is not up. Once the tunnel is established and you are not using split tunneling they can no longer ping your ASA. If you drop the tunnel the dhcp lease will not expire. What I had to do was enable split tunneling on the vpn group that I was using for the ASA and enable ICMP on the outside interface. After that the ASA would stay up for good.

7 REPLIES
Cisco Employee

Re: EZ VPN on ASA

Hello,

You have to look at the debugs on both sides to see what is happening at that time. From the problem you are experiencing, seems like by there is some issue with Phase 2 key - most likely.

What about the head end side, what do you see the status on " sh cry isa sa"

Run the debugs "deb cry isa 200" and " deb cry ipsec 200" and post the debugs. Let me take a look at the information on where it fails.

Thanks

Gilbert

New Member

Re: EZ VPN on ASA

Today is your lucky day. I had this exact problem with my ASA5505 on my FiOS connection. Apparently Verizon will ping your device before it will allow you to request or renew your IP address. When your ASA first comes online they can ping it because you have ICMP enabled on the outside and the VPN tunnel is not up. Once the tunnel is established and you are not using split tunneling they can no longer ping your ASA. If you drop the tunnel the dhcp lease will not expire. What I had to do was enable split tunneling on the vpn group that I was using for the ASA and enable ICMP on the outside interface. After that the ASA would stay up for good.

New Member

Re: EZ VPN on ASA

ggilbert, sorry I didn't reply sooner. I sort of got booted off the problem, the senior network admin took over, and I couldn't get any debug information. Cisco suggested upgrading the FOS, which we did, but we still had problems. (they said there was a bug that had to do with DHCP)

dzam, I am happy to hear you had the same problem and you found the solution. We do not have split tunneling enabled, so what you are saying makes a lot of sense. I will pass the information along and definitely rate the post when I see how it goes. How did you find out that Verizon will ping your device before allowing you to request/renew the ip?

New Member

Re: EZ VPN on ASA

When I called tech support I used the debug on ASDM and saw that they were pinging me from time to time. I rebooted the router and set a timer on my phone to remind me to go back and look at the dhcp lease timer after 1 hour. I noticed the router went from bind to renew and never went back to bind. I enabled icmp on the outside interface and rebooted again, set a timer came back and still gets stuck at renew. Disabled the vpn and did it again, it would renew after that. Just a process of elimination. I started to ping myself from an outside source and noticed that my router would not echo unless I had split tunneling enabled. I promise you this is your problem. Good luck.

New Member

Re: EZ VPN on ASA

dzam, you were right. Thanks a lot! The senior network admin was skeptical, but we tested it this weekend and the connection stayed up. I told him he shouldn't be so pessimistic.

I rated your post. I would have given you a 10 if I could. We have been struggling with this for over a month.

New Member

Re: EZ VPN on ASA

Great. This will be my first rated post. Glad I could help out.

New Member

Re: EZ VPN on ASA

I've been having fun with this problem today.  I can understand the solution but it doesn't fit our requirements to enable spli-tunneling.

Looking at the debugs I could see that the DHCP rebinding messages were first sent as unicast to the ISPs DHCP server (not local) and then sent as broadcast.  Both times this traffic was sent down the tunnel and seen at the headend.

This is due to the dynamic acl created to ensure that DHCP requests are not sent down the tunnel.

access-list _vpnc_acl line 3 extended deny udp host eq bootpc 255.255.255.0 eq bootps

This works fine when the DHCP server is local, but not if it is remote as in our case.

My initial thoughts were that we could exclude the ISP DHCP server IP address in the split tunneling setup, but looks like EZVPN does not support excluding networks.  We then tried to use Tunnel networks in list below with a deny in the acl to the ISP DHCP server IP address and then a permit any, but the split tunnel only installed the any route.

Anyone know a workaround to this?  Looks like we'll have to go for static IP, or stick a router inbetween the ISP and the ASA.

Cheers

2235
Views
5
Helpful
7
Replies
CreatePlease to create content