Hi Florian

FlorianBerthelot · ‎11-03-2013

Hi,

I have an issue with a Site to site VPn using IPSec.

I have several tunnels all configured the same and this is the only one with the isssue. looks like the VPN is dropped whene remote peer pings the internal IP (172.16.30.88). Tunnel drops after 7 - 8secs.

I got this message when enabling isakmp debug :

Nov 04 17:20:32 [IKEv1]Group = 2XX.YY.140.135, IP = XX.YY.140.135, Session is being torn down. Reason: User Requested

I would really appreciate some advice about how to troubleshoot this issue, as i am new to ASA.

Here are some more logs :

Thanks in advance !

5|Nov 04 2013|16:53:19|713904|||||IP = XX.YY.140.135, Received encrypted packet with no matching SA, dropping

4|Nov 04 2013|16:53:19|113019|||||Group = XX.YY.140.135, Username = XX.YY.140.135, IP = XX.YY.140.135, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:10s, Bytes xmt: 608, Bytes rcv: 128, Reason: User Requested

5|Nov 04 2013|16:53:19|713259|||||Group = XX.YY.140.135, IP = XX.YY.140.135, Session is being torn down. Reason: User Requested

6|Nov 04 2013|16:53:19|302020|172.16.10.19|0|172.16.10.254|0|Built inbound ICMP connection for faddr 172.16.10.19/0 gaddr 172.16.10.254/0 laddr 172.16.10.254/0

6|Nov 04 2013|16:53:19|602304|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x0864D3AB) between XX.YY.140.135 and 202.171.68.14 (user= XX.YY.140.135) has been deleted.

6|Nov 04 2013|16:53:19|602304|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x94F43112) between 202.171.68.14 and XX.YY.140.135 (user= XX.YY.140.135) has been deleted.

5|Nov 04 2013|16:53:18|713050|||||Group = XX.YY.140.135, IP = XX.YY.140.135, Connection terminated for peer XX.YY.140.135. Reason: Peer Terminate Remote Proxy 192.168.0.0, Local Proxy 172.16.30.88

6|Nov 04 2013|16:53:18|302020|172.16.30.88|0|192.168.0.1|26299|Built outbound ICMP connection for faddr 192.168.0.1/26299 gaddr 172.16.30.88/0 laddr 172.16.30.88/0

6|Nov 04 2013|16:53:18|302020|192.168.0.1|26299|172.16.30.88|0|Built inbound ICMP connection for faddr 192.168.0.1/26299 gaddr 172.16.30.88/0 laddr 172.16.30.88/0

5|Nov 04 2013|16:53:08|713120|||||Group = XX.YY.140.135, IP = XX.YY.140.135, PHASE 2 COMPLETED (msgid=f141e93e)

6|Nov 04 2013|16:53:08|602303|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x0864D3AB) between 202.171.68.14 and XX.YY.140.135 (user= XX.YY.140.135) has been created.

6|Nov 04 2013|16:53:08|602303|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x94F43112) between 202.171.68.14 and XX.YY.140.135 (user= XX.YY.140.135) has been created.

5|Nov 04 2013|16:53:08|713049|||||Group = XX.YY.140.135, IP = XX.YY.140.135, Security negotiation complete for LAN-to-LAN Group (XX.YY.140.135) Responder, Inbound SPI = 0x0864d3ab, Outbound SPI = 0x94f43112

5|Nov 04 2013|16:53:08|713119|||||Group = XX.YY.140.135, IP = XX.YY.140.135, PHASE 1 COMPLETED

6|Nov 04 2013|16:53:08|113009|||||AAA retrieved default group policy (CLT_TEASOA_L2L_GroupPolicy) for user = XX.YY.140.135

6|Nov 04 2013|16:53:08|713172|||||Group = XX.YY.140.135, IP = XX.YY.140.135, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

fcmartinez · ‎03-12-2014

Hi Florian

tunnel is coming UP?

if so and after few time is going down...sometimes could be related to sessions timeout issues.

try to configure SLA with infinite ping and see if this works.

sla monitor x
   type echo protocol ipIcmpEcho sla_monitor_address interface outside_interface
   frequency 5
exit
sla monitor schedule 1 life forever start-time now