Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1415
Views
0
Helpful
10
Replies

VPN drop when Dynamic IP change

parkerTod
Level 1
Level 1

‎01-10-2012 01:11 AM

Hi all,

  I verified that the VPN implemented between a static IP address and a dynamic IP address every  time the GPRS router IP address change address, the VPN does not rise.

I attach the configuration implemented by ASA5505 dynamic side.

How can I fix it?

: Saved

: Written by enable_15 at 06:45:34.029 UTC Sat Dec 3 2011

!

ASA Version 8.2(1)

!

hostname ASA2

...

names

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.0.253 255.255.255.0

!

interface Vlan3

nameif inside

security-level 100

ip address 172.18.0.254 255.255.0.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

access-list l2l_list extended permit ip 172.18.0.0 255.255.0.0 192.168.100.0 255.255.255.0

access-list nonat extended permit ip 172.18.0.0 255.255.0.0 192.168.100.0 255.255.255.0

access-list nonat extended permit ip 172.18.0.0 255.255.0.0 172.19.0.0 255.255.0.0

access-list PingDebug extended permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 172.19.0.50-172.19.0.59 mask 255.255.0.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 172.18.0.0 255.255.0.0

access-group PingDebug in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.0.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer STATIC-IP-ADDRESS

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec svc webvpn

address-pools value vpnpool

...

tunnel-group STATIC-IP-ADDRESS type ipsec-l2l

tunnel-group STATIC-IP-ADDRESS ipsec-attributes

pre-shared-key ...

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

...

: end

Best Regards

Labels:
0 Helpful
10 Replies 10

andrew.prince
Level 10
Level 10

‎01-10-2012 01:30 AM

Looks OK - what kind of keepalive have you configured on the LAN to bring the tunnel up?

0 Helpful

parkerTod
Level 1
Level 1
In response to andrew.prince

‎01-10-2012 02:03 AM

Hi,

there is an ongoing attempt TCP connection to a server on the remote network192.168.100.0 identified on the access list l2l_list.

Thanks for support.

Best regards

0 Helpful

andrew.prince
Level 10
Level 10
In response to parkerTod

‎01-10-2012 02:28 AM

OK can you post the specific crypto map entry for this site and the default tunnel group config to allow VPN's from unknown IP addresses on the HUB device.

0 Helpful

parkerTod
Level 1
Level 1
In response to andrew.prince

‎01-10-2012 02:48 AM

I hope to properly understand your request:

attached extract from the side of the VPN configuration static IP address

...

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map abcmapdyn 4 set transform-set FirstSet

...

...

crypto map abcmap 5 ipsec-isakmp dynamic abcmapdyn

crypto map abcmap interface outside

crypto isakmp enable outside

...

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

...

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

Best regards

0 Helpful

andrew.prince
Level 10
Level 10
In response to parkerTod

‎01-10-2012 03:06 AM

Yep - all good......so when the IP changes at the remote end, the VPN tunnel never comes up or just takes it's time??

0 Helpful

parkerTod
Level 1
Level 1
In response to andrew.prince

‎01-10-2012 03:48 AM

Well,

I tried it and in one case the VPN is down to remain in a state of 6h 40m.

The VPN restores only after you restart the firewall side of the Dynamic VPN. I think that would probably be an exaggeration to restart is enough simply to clear the phases of the VPN.

Best regards

0 Helpful

andrew.prince
Level 10
Level 10
In response to parkerTod

‎01-10-2012 03:53 AM

it's more like the dynamic end gets a new IP address, and continues to try and use it.  The HUB end still has an "old" connection with the previous src IP.  So really the dynamic end needs to clear the crypto isakmp/ipsec sa and start a new connection on receipt of a new IP.

When does the dynamic get a new IP typically?

What IKE keepalive have you configured?

0 Helpful

parkerTod
Level 1
Level 1
In response to andrew.prince

‎01-10-2012 05:37 AM

Hi,

using the command above:

show running-config tunnel-group DefaultL2LGroup

I obtain:

tunnel-group ipsec-attributes DefaultL2LGroup

pre-shared-key *

IP address can change in unpredictable ways, do you suggest to set on both firewalls?

isakmp keepalive [threshold seconds] [retry seconds]

Thanks for support

Best regards

0 Helpful

andrew.prince
Level 10
Level 10
In response to parkerTod

‎01-10-2012 05:45 AM

On the URL - the stipulation is it MUST be set @ both ends.

0 Helpful
Customers Also Viewed These Support Documents