Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL

Hi all.

we have following IPSec configuration:

ASA Site 1:

*************

Cisco Adaptive Security Appliance Software Version 9.1(1)

 

crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256

access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0

 

crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE

route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255

tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

 

ASA Site 2:

*************

Cisco Adaptive Security Appliance Software Version 9.1(4)
 

 

access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1

 

crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE


tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

 

We are not able to reach from 172.22.20.x ips 172.27.99.x.

It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.

We are using similar configuration on many sites and it works correctly expect sites with DSL line.

We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.

Thanks in advance for your help.

Regards.

Jan

 

 

ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2

Session Type: LAN-to-LAN Detailed

Connection   : IP ASA Site 2

Index        : 3058                   IP Addr      : IP ASA Site 2
Protocol     : IKEv2 IPsec
Encryption   : IKEv2: (1)AES256  IPsec: (3)AES256
Hashing      : IKEv2: (1)SHA512  IPsec: (3)SHA1
Bytes Tx     : 423634                 Bytes Rx     : 450526
Login Time   : 19:59:35 HKT Tue Apr 29 2014
Duration     : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3

IKEv2:
  Tunnel ID    : 3058.1
  UDP Src Port : 500                    UDP Dst Port : 500
  Rem Auth Mode: preSharedKeys
  Loc Auth Mode: preSharedKeys
  Encryption   : AES256                 Hashing      : SHA512
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 79756 Seconds
  PRF          : SHA512                 D/H Group    : 5
  Filter Name  :
  IPv6 Filter  :

IPsec:
  Tunnel ID    : 3058.2
  Local Addr   : 172.22.0.0/255.255.0.0/0/0
  Remote Addr  : 172.27.97.0/255.255.255.0/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 22156 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607648 K-Bytes
  Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
  Bytes Tx     : 312546                 Bytes Rx     : 361444
  Pkts Tx      : 3745                   Pkts Rx      : 3785

IPsec:
  Tunnel ID    : 3058.3
  Local Addr   : 172.27.0.0/255.255.0.0/0/0
  Remote Addr  : 172.27.97.0/255.255.255.0/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 22165 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607952 K-Bytes
  Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
  Bytes Tx     : 50014                  Bytes Rx     : 44621
  Pkts Tx      : 496                    Pkts Rx      : 503

IPsec:
  Tunnel ID    : 3058.4
  Local Addr   : 172.27.0.0/255.255.0.0/0/0
  Remote Addr  : 172.27.99.0/255.255.255.0/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 22324 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607941 K-Bytes
  Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
  Bytes Tx     : 61074                  Bytes Rx     : 44461
  Pkts Tx      : 402                    Pkts Rx      : 437

NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 6648 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :

 

....  after ping from 172.27.99.x any ip in 172.22.20.x.

 

 

 

ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2

Session Type: LAN-to-LAN Detailed

Connection   : IP ASA Site 2
Index        : 3058                   IP Addr      : IP ASA Site 2

Protocol     : IKEv2 IPsec
Encryption   : IKEv2: (1)AES256  IPsec: (4)AES256
Hashing      : IKEv2: (1)SHA512  IPsec: (4)SHA1
Bytes Tx     : 784455                 Bytes Rx     : 1808965
Login Time   : 19:59:35 HKT Tue Apr 29 2014
Duration     : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4

IKEv2:
  Tunnel ID    : 3058.1
  UDP Src Port : 500                    UDP Dst Port : 500
  Rem Auth Mode: preSharedKeys
  Loc Auth Mode: preSharedKeys
  Encryption   : AES256                 Hashing      : SHA512
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 78553 Seconds
  PRF          : SHA512                 D/H Group    : 5
  Filter Name  :
  IPv6 Filter  :

IPsec:
  Tunnel ID    : 3058.2
  Local Addr   : 172.22.0.0/255.255.0.0/0/0
  Remote Addr  : 172.27.97.0/255.255.255.0/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 20953 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4606335 K-Bytes
  Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
  Bytes Tx     : 652492                 Bytes Rx     : 1705136
  Pkts Tx      : 7419                   Pkts Rx      : 7611

IPsec:
  Tunnel ID    : 3058.3
  Local Addr   : 172.27.0.0/255.255.0.0/0/0
  Remote Addr  : 172.27.97.0/255.255.255.0/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 20962 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607942 K-Bytes
  Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
  Bytes Tx     : 60128                  Bytes Rx     : 52359
  Pkts Tx      : 587                    Pkts Rx      : 594

IPsec:
  Tunnel ID    : 3058.4
  Local Addr   : 172.27.0.0/255.255.0.0/0/0
  Remote Addr  : 172.27.99.0/255.255.255.0/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 21121 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607931 K-Bytes
  Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
  Bytes Tx     : 70949                  Bytes Rx     : 50684
  Pkts Tx      : 475                    Pkts Rx      : 514

IPsec:
  Tunnel ID    : 3058.5
  Local Addr   : 172.22.0.0/255.255.0.0/0/0
  Remote Addr  : 172.27.99.0/255.255.255.0/0/0
  Encryption   : AES256                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28767 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
  Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
  Bytes Tx     : 961                    Bytes Rx     : 871
  Pkts Tx      : 17                     Pkts Rx      : 14

NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 7852 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :

595
Views
0
Helpful
0
Replies