Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Between Cisco ASA 5510 and PIX 515

Hi,

I have VPN between Cisco ASA and Cisco PIX.

I have seen in my syslog server this error which appears once a day more or less:

Received encrypted packet with no matching SA, dropping

I´ve seen this issue in another post but in none of then the solution.

These are my configuration files of the firewalls:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map2 2 match address WAN_cryptomap_1
crypto map WAN_map2 2 set pfs
crypto map WAN_map2 2 set peer 62.80.XX.XX
crypto map WAN_map2 2 set transform-set ESP-DES-MD5
crypto map WAN_map2 2 set security-association lifetime seconds 2700
crypto map WAN_map2 2 set nat-t-disable
crypto map WAN_map2 interface WAN
crypto isakmp enable LAN
crypto isakmp enable WAN
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 5
lifetime 28800
no crypto isakmp nat-traversal
tunnel-group 62.80.XX.XX type ipsec-l2l
tunnel-group 62.80.XX.XX ipsec-attributes
pre-shared-key *

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PIX Version 8.0(4)
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN_map2 3 match address VPN_cryptomap_2
crypto map VPN_map2 3 set pfs
crypto map VPN_map2 3 set peer 194.30.XX.XX
crypto map VPN_map2 3 set transform-set ESP-DES-MD5
crypto map VPN_map2 3 set security-association lifetime seconds 2700
crypto map VPN_map2 3 set security-association lifetime kilobytes 4608000
crypto map VPN_map2 3 set nat-t-disable
crypto map VPN_map2 interface VPN
crypto isakmp enable VPN
crypto isakmp enable inside
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 5
lifetime 28800
no crypto isakmp nat-traversal
crypto isakmp am-disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
tunnel-group 194.30.XX.XX type ipsec-l2l
tunnel-group 194.30.XX.XX ipsec-attributes
pre-shared-key *

If you need more dedailed information ask me.

Thanks in advance for your help.

Javi

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

Please post the output of "show run all group-policy DfltGrpPolicy". See if you have the command "vpn-idle-timoeout" configured in that. If so, please change it to "vpn-idle-timeout none" and see if that stops those error messages from popping up.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1571426

Thanks and Regards,

Prapanch

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Looking at the logs, it seems to be coinciding with a rekey which we can confirm only using debugs. If it is not causing any connectivity issues, there is nothing to worry about.

Cheers,

Prapanch

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

Sure. Rather than a message, just open up a thread so that others can take a look at it in case they face similar issues.

Cheers,

Prapanch

29 REPLIES
Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi,

Please enable "debug crypto isa 127" and "debug crypto ipsec 127" on both the ASA and the PIX and post it here.

Thanks and Regards,

Prapanch

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hello,

I´ve attached ASA and Cisco Logs.

The ip Interface of the VPN in the Cisco Pix is 62.80.XX.XX and the interface ip of the Cisco ASA is 194.30.XX.XX. There are some IPs that I´ve changed by XX.XX.XX.XX because are another VPNs.

Inside network of Cisco PIX is 10.240.208.0/255.255.252.0

Inside network of Cisco ASA is 10.10.30.0/255.255.255.0

If you need more information ask me.

Thanks for your help.

Javi

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hello,

Have been the logs useful?

Thanks

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

Apologies for late response. In the debugs i do not see any errors but only DPD's exchanged periodically. What exactly is the problem? Does the tunnel go down or stop passing traffic? How often do you see the message "Received encrypted packet with no matching SA, dropping".

Regards,

Prapanch

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Prapanch,

Firstly, thanks for your help.

The VPN doesn´t go down yet.

I´ve had the same problems with VPN between Cisco ASA and Stonegate firewall. Appeared this error during weeks and suddenly the VPN went down and I have to reload Cisco ASA to up the VPN. I´ve not be able to resolve this issue yet.

I would like to know if the issue between Cisco ASA and Cisco PIX is the same that this one.

This error "Received encrypted packet with no matching SA, dropping" appears once or twice a day. I think to resolve this issue, the best option is send logs from Cisco ASA and Cisco PIX in debug level mode to my logserver during a day. When I have these logs I´ll try to find in the log the time of the error has appeared and then I´ll paste here related logs.

Do you think is a good idea?

Regards,

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

That sounds good!! Let me know how it goes!

Cheers,

Prapanch

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hello Prapanch,

I hope this logs are useful.

Thanks newly!!

Javi

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hello Prapanch,

Have you seen logs I attached in the last post?

Thanks

Javi

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

Apologies. Somehow missed that post. Anyways, i saw the logs from the PIX. I see this message in it:


Nov  3 10:26:51 10.240.210.3 %PIX-5-713050: Group = 194.30.79.67, IP = 194.30.79.67, Connection terminated for peer 194.30.79.67.  Reason: IPSec SA Idle Timeout  Remote Proxy 10.10.30.0, Local Proxy 10.240.208.0

This means there is some idle time out setup on the PIX. Under the group-policy, do you have the idle timout setup? Please post the output of "show run all tunnel-group".

Regards,

Prapanch

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Prapanch,

Here you have the result of the command (show run all tunnel-group).

Thanks for all!

Javi

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

Please post the output of "show run all group-policy DfltGrpPolicy". See if you have the command "vpn-idle-timoeout" configured in that. If so, please change it to "vpn-idle-timeout none" and see if that stops those error messages from popping up.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1571426

Thanks and Regards,

Prapanch

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Prapanch,

I had that command configured (vpn-idle-timeout 30). I've changed by "vpn-idle-timeout none" in both firewalls. I've attached the result of the command that you posted (show run all group-policy DfltGrpPolicy) after doing the changes, however there is another command configured that I have to change. If you find something incorrect, post me please.

Maybe the issue I had with VPN between Stonegate and Cisco be the same issue and I can resolve with the "vpn-idle-timeout none" command.

Thank you very much Prapanch!!!.

In two days I'll post the results.

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

How is it working now? If resolved, please mark this post as answered.

Regards,

Prapanch

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Prapanch,

I'll be out of office until Monday. I'll post the results next Monday.

Best Regards,

Javi

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Prapanch,

The error between Cisco Pix and Cisco ASA has disappeared!!!

I've seen that SA dropping error persists between Cisco PIX and Stonegate Firewall. If I attach the debug logs from Cisco PIX, Could you help me to find the problem?

Thank you very much for all!!

Javi

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

Absolutely.

Regards,

Prapanch

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Prapanch,

Thanks for your great help to solve the issue!!!

I've captured these logs when the error of SA dropping has appeared.

Regards,

Javi

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

I went through logs and it looks like Phase 2 rekey is happening when you receive those messages. Try increasing the phase 2 lifetime to something higher (currently is something around 2300 seconds).

Regards,

Prapanch

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Prapanch,

Phase2 is configured with 45 minutes and 4608000KB.

If you see the logs I've attached, the error (Received encrypted packet with no matching SA, dropping) doesn't appear each 45 minutes.

Do you think if I change the phase2 lifetime and configure higher values, the issue will be resolved ?.

What values are recommended?

Thanks!!

Javi

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

Let's try increasing it and see if it helps. Maybe to 3 hours or so?

Cheers,

Prapanch

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Prapanch,

I've already increased to 3 hours.

Tomorow I'll post the results.

Thanks again!!

Javi

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hello Prapanch,

The issue persists

These are the last logs when the error happened.

Thanks!!!

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

How often do u see it now? Any change after changing the lifetime values? These are normal messages that come up during a rekey. These housld not cause any communication issues.

regards,

prapanch

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Prapanch,

After changing SA lifetime, the number of errors is the same (from 8 to 11 times a day).

Regards,

Javi

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Looking at the logs, it seems to be coinciding with a rekey which we can confirm only using debugs. If it is not causing any connectivity issues, there is nothing to worry about.

Cheers,

Prapanch

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi,

6 months ago I posted this issue:

https://supportforums.cisco.com/thread/2018053?tstart=0

I don't know if this issue will appear newly with the new configuration (vpn idle timeout none) and maybe it resolve this issue too.

Regards,

Javi

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Is the other still occuring?

New Member

Re: VPN Between Cisco ASA 5510 and PIX 515

I've replaced ASA firewall by Fortinet firewall because it was installed in China and when this issue happened I was sleeping and then they can't connect to HQ and nobody could help them.

Now I've installed this ASA in my network testing lab, doing a VPN with Stonegate. I have monitoring this VPN. In this firewall I changed vpn idle timeout paramater too. Maybe with this change the issue has solved indirectly.

Then, I think it's better I close this post and if the issue persists and if you want, I can send you a message.

Thanks for your priceless help!!!

Cisco Employee

Re: VPN Between Cisco ASA 5510 and PIX 515

Hi Javi,

Sure. Rather than a message, just open up a thread so that others can take a look at it in case they face similar issues.

Cheers,

Prapanch

3235
Views
50
Helpful
29
Replies
CreatePlease to create content