We have ASA5505 site2site IPSec VPN, here is the version
central site 8.04
I found the two VPNs always disconnect in every morning, I tried to clear the isa sa and ipsec sa, but they could not come back up. I tried to set the time out of IPSec and isa to the max value, but it doesn't work. The solution is reset the two remote ASAs.
Following is the log info on remote site's ASA when the VPN could not come back, two remote ASA have similiar info. Anyone has ideas?
Aug 18 2009 21:28:31: %ASA-3-713119: Group = 18.104.22.168, IP = 22.214.171.124, PHASE 1 COMPLETED
Aug 18 2009 21:28:31: %ASA-3-713061: Group = 126.96.36.199, IP = 188.8.131.52, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 10.157.96.0/255.255.224.0/0/0 on interface outside
Aug 18 2009 21:28:31: %ASA-3-713902: Group = 184.108.40.206, IP = 220.127.116.11, QM FSM error (P2 struct &0x41c5960, mess id 0x9f02f748)!
Aug 18 2009 21:28:31: %ASA-3-713902: Group = 18.104.22.168, IP = 22.214.171.124, Removing peer from correlator table failed, no match!
Aug 18 2009 21:28:31: %ASA-4-113019: Group = 126.96.36.199, Username = 188.8.131.52, IP = 184.108.40.206, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
If the users are frequently disconnected across the L2L tunnel, the problem can be the lesser lifetime configured in ISAKMP SA. If any discrepancy occurs in the ISAKMP lifetime, you can recieve the %PIX-5-713092: Group = x.x.x.x, IP = x.x.x.x, Failure during phase 1 rekeying attempt due to collision error message. Configure the same value in both the peers in order to fix it.
The default is 86,400 seconds or 24 hours. As a general rule, a shorter lifetime provides more secure ISAKMP negotiations (up to a point), but, with shorter lifetimes, the security appliance sets up future IPsec SAs more quickly.
A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the policy of the remote peer specifies a lifetime less than or equal to the lifetime in the compared policy. If the lifetimes are not identical, the shorter lifetime-from the policy of the remote peer-is used. If no acceptable match is found, the IKE refuses negotiation, and the IKE SA is not established.
I'm having almost the same problem but to a Checkpoint and not an ASA both devices say the tunnel is up but no traffic seems to get the the requested destination and yes a constant ping from one side appears to keep the tunnel going. Any ideas would be great. Also sh isakmp sa and sh ipsec sa seem to match what the checkpoint knows and expects for the tunnel.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...