i have a problem with vpn connection between ASA5505 and router 3825.
behind ASA we have a server which is serving on specific port. If for some reason link is disconnected the VPN will not become active if we do not generate a traffic from this server. after generating even a ping VPN immediately become active and communication start. another case is when we reboot ASA the VPn is not created without ping from server behind this ASA.
how we could solve this without sending a traffing from that serve?
how can access remotely this ASA, can i access internal interface? if i open access on port 443 on outside interface of asa could i access it ? or i have to exclude also from VPN this traffic
i used wizard VPN to configure on asa and CLI on Router
some command from troubleshootingand configuration, if this is not enough please let me know what you need else.
thank you in advance for your help
ciscoasa# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.10.10.1
Type : L2L Role : initiator
Rekey : no State : AM_ACTIVE
Configuration From ASA.
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 10.10.10.1
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
crypto isakmp policy 30
configuration from main Router
crypto isakmp policy 1
crypto isakmp policy 5
crypto isakmp policy 10
crypto isakmp key 6 _JQfe[BeRGNBCGfbGxxxxxxxxx address 10.10.10.10
crypto ipsec transform-set xxxxx esp-des esp-md5-hmac
crypto map ETH0 2696 ipsec-isakmp
set peer 10.10.10.10
set transform-set xxxxx
match address 2001
access-list 2001 permit ip any 192.168.26.96 0.0.0.7
Message was edited by: adriatikb i just read somewhere that if could change the VPN type from "bi-direcitonal" to either "intiator" or "responder" could help me but i test and no result.
Solved! Go to Solution.
You need to enable DPD (Dead Peer Detection ) on both ends router and firewall
any IOS version
router(config)#crypto isakmp keepalive 15 periotic
under PIX code 6.x
pix(config)#isakmp keepalive 15
under ASA code 7.x above , enable (isakmp keepalive 15)
isakmp keepalive threshold 15 retry 10
Here are some references
a must to have link for L2L troubleshooting reference
IOS DPD how it works
Another obtion you could utilize to keep tunnel up if idle for a long period of time without the use of DPD is if this tunnel for example had been a trusted branch you could setup a NTPserver in one end and on other end configured a cisco device to pool NTP from other end to NTPserver, the ntp packets are very small 128kb this will keep your tunnel UP at all times, but if this is not your case then DPD is what you need .
thank you for your replay,
what I just use till now it is something same as your last proposal with NTP server, i used crone job every 1 hour with 5 pings.
also i use Sla monitoring
sla monitor 1
type echo protocol ipIcmpEcho 192.168.6.2 interface inside
sla monitor schedule 1 life forever start-time now
I don't know what one of them is working but is fine till now , today i will try also your DPD proposal on both tunnel ends.
I have another issue which it seems different from other ASA5510 -5520.
i cant access and manage ASA5505 from outside interface even i have configured all needed lines for this.
HTPS and SSH s not working from outside even this traffic is not interesting traffic of vpn
please any suggestion?
i have same issue whith the other asa 5505 firewall. i have same configuration as the first one which is working now.
the problem is same even i have downgraded the image to 8.2.1.
the tunnel can only be initiated on one site form asa side. if the vpn is down and the first request come from router side it will not start tunnel.
on debug i can see below message:
Dec 27 03:21:14 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, QM FSM error (P2 struct &0xc9239b08, mess id 0x833fdbf6)!
Dec 27 03:21:14 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, Removing peer from correlator table failed, no match!
Dec 27 03:21:35 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, QM FSM error (P2 struct &0xc9239b08, mess id 0x5fde46d5)!
Dec 27 03:21:35 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, Removing peer from correlator table failed, no match!
Dec 27 03:21:45 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, QM FSM error (P2 struct &0xc9239b08, mess id 0xa3080eec)!
Dec 27 03:21:45 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, Removing peer from correlator table failed, no match!
could you sugest me what to do in this case.
Could you post "debug cry isa" and "debug cry ips" from the router and "debug cry isa 127" and "debug cry ips 127" from the ASA when initiating the tunnel from the router?
atteached you will find two txt file with debug on asa and router.
please be informed that on router are terminated other vpn from other sites.
outside ip of router where is build VPN is 10.10.10.1 and outside ip of asa is 10.10.10.14