cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9469
Views
50
Helpful
29
Replies

VPN Between Cisco ASA 5510 and PIX 515

Javi Benito
Level 1
Level 1

Hi,

I have VPN between Cisco ASA and Cisco PIX.

I have seen in my syslog server this error which appears once a day more or less:

Received encrypted packet with no matching SA, dropping

I´ve seen this issue in another post but in none of then the solution.

These are my configuration files of the firewalls:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map2 2 match address WAN_cryptomap_1
crypto map WAN_map2 2 set pfs
crypto map WAN_map2 2 set peer 62.80.XX.XX
crypto map WAN_map2 2 set transform-set ESP-DES-MD5
crypto map WAN_map2 2 set security-association lifetime seconds 2700
crypto map WAN_map2 2 set nat-t-disable
crypto map WAN_map2 interface WAN
crypto isakmp enable LAN
crypto isakmp enable WAN
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 5
lifetime 28800
no crypto isakmp nat-traversal
tunnel-group 62.80.XX.XX type ipsec-l2l
tunnel-group 62.80.XX.XX ipsec-attributes
pre-shared-key *

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PIX Version 8.0(4)
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN_map2 3 match address VPN_cryptomap_2
crypto map VPN_map2 3 set pfs
crypto map VPN_map2 3 set peer 194.30.XX.XX
crypto map VPN_map2 3 set transform-set ESP-DES-MD5
crypto map VPN_map2 3 set security-association lifetime seconds 2700
crypto map VPN_map2 3 set security-association lifetime kilobytes 4608000
crypto map VPN_map2 3 set nat-t-disable
crypto map VPN_map2 interface VPN
crypto isakmp enable VPN
crypto isakmp enable inside
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 5
lifetime 28800
no crypto isakmp nat-traversal
crypto isakmp am-disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
tunnel-group 194.30.XX.XX type ipsec-l2l
tunnel-group 194.30.XX.XX ipsec-attributes
pre-shared-key *

If you need more dedailed information ask me.

Thanks in advance for your help.

Javi

3 Accepted Solutions

Accepted Solutions

Hi Javi,

Please post the output of "show run all group-policy DfltGrpPolicy". See if you have the command "vpn-idle-timoeout" configured in that. If so, please change it to "vpn-idle-timeout none" and see if that stops those error messages from popping up.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1571426

Thanks and Regards,

Prapanch

View solution in original post

Looking at the logs, it seems to be coinciding with a rekey which we can confirm only using debugs. If it is not causing any connectivity issues, there is nothing to worry about.

Cheers,

Prapanch

View solution in original post

Hi Javi,

Sure. Rather than a message, just open up a thread so that others can take a look at it in case they face similar issues.

Cheers,

Prapanch

View solution in original post

29 Replies 29

praprama
Cisco Employee
Cisco Employee

Hi,

Please enable "debug crypto isa 127" and "debug crypto ipsec 127" on both the ASA and the PIX and post it here.

Thanks and Regards,

Prapanch

Hello,

I´ve attached ASA and Cisco Logs.

The ip Interface of the VPN in the Cisco Pix is 62.80.XX.XX and the interface ip of the Cisco ASA is 194.30.XX.XX. There are some IPs that I´ve changed by XX.XX.XX.XX because are another VPNs.

Inside network of Cisco PIX is 10.240.208.0/255.255.252.0

Inside network of Cisco ASA is 10.10.30.0/255.255.255.0

If you need more information ask me.

Thanks for your help.

Javi

Hello,

Have been the logs useful?

Thanks

Hi Javi,

Apologies for late response. In the debugs i do not see any errors but only DPD's exchanged periodically. What exactly is the problem? Does the tunnel go down or stop passing traffic? How often do you see the message "Received encrypted packet with no matching SA, dropping".

Regards,

Prapanch

Hi Prapanch,

Firstly, thanks for your help.

The VPN doesn´t go down yet.

I´ve had the same problems with VPN between Cisco ASA and Stonegate firewall. Appeared this error during weeks and suddenly the VPN went down and I have to reload Cisco ASA to up the VPN. I´ve not be able to resolve this issue yet.

I would like to know if the issue between Cisco ASA and Cisco PIX is the same that this one.

This error "Received encrypted packet with no matching SA, dropping" appears once or twice a day. I think to resolve this issue, the best option is send logs from Cisco ASA and Cisco PIX in debug level mode to my logserver during a day. When I have these logs I´ll try to find in the log the time of the error has appeared and then I´ll paste here related logs.

Do you think is a good idea?

Regards,

Hi Javi,

That sounds good!! Let me know how it goes!

Cheers,

Prapanch

Hello Prapanch,

I hope this logs are useful.

Thanks newly!!

Javi

Hello Prapanch,

Have you seen logs I attached in the last post?

Thanks

Javi

Hi Javi,

Apologies. Somehow missed that post. Anyways, i saw the logs from the PIX. I see this message in it:


Nov  3 10:26:51 10.240.210.3 %PIX-5-713050: Group = 194.30.79.67, IP = 194.30.79.67, Connection terminated for peer 194.30.79.67.  Reason: IPSec SA Idle Timeout  Remote Proxy 10.10.30.0, Local Proxy 10.240.208.0

This means there is some idle time out setup on the PIX. Under the group-policy, do you have the idle timout setup? Please post the output of "show run all tunnel-group".

Regards,

Prapanch

Hi Prapanch,

Here you have the result of the command (show run all tunnel-group).

Thanks for all!

Javi

Hi Javi,

Please post the output of "show run all group-policy DfltGrpPolicy". See if you have the command "vpn-idle-timoeout" configured in that. If so, please change it to "vpn-idle-timeout none" and see if that stops those error messages from popping up.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1571426

Thanks and Regards,

Prapanch

Hi Prapanch,

I had that command configured (vpn-idle-timeout 30). I've changed by "vpn-idle-timeout none" in both firewalls. I've attached the result of the command that you posted (show run all group-policy DfltGrpPolicy) after doing the changes, however there is another command configured that I have to change. If you find something incorrect, post me please.

Maybe the issue I had with VPN between Stonegate and Cisco be the same issue and I can resolve with the "vpn-idle-timeout none" command.

Thank you very much Prapanch!!!.

In two days I'll post the results.

Hi Javi,

How is it working now? If resolved, please mark this post as answered.

Regards,

Prapanch

Hi Prapanch,

I'll be out of office until Monday. I'll post the results next Monday.

Best Regards,

Javi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: