07-07-2010 11:28 AM
authentication retries but never reconnects. I have to reboot the appli
ance to bring tunnel back up.
Found the following in syslogs:
2010-07-07 13:28:34 Local4.Notice 10.0.0.254 :Jul 07 10:22:22 UTC: %ASA-vpn-5-713259: Group = 74.126.85.149, IP = 74.126.85.149, Session is being torn down. Reason: Lost Service
2010-07-07 13:28:34 Local4.Warning 10.0.0.254 :Jul 07 10:22:22 UTC: %ASA-auth-4-113019: Group = 74.126.85.149, Username = 74.126.85.149, IP = 74.126.85.149, Session disconnected. Session Type: IPsec, Duration: 0h:36m:03s, Bytes xmt: 584567664, Bytes rcv: 156692759, Reason: Lost Service
Solved! Go to Solution.
07-07-2010 01:34 PM
David,
That indeed could be the reason.
Any chance you can apply some sort of shaping? (Bad comes to worse ASA can do it quite decently, but only in outbound direction AFAIR)
Marcin
07-07-2010 11:41 AM
David,
First of all can you share ASA versions and config? Is this a L2L tunnel (looks like it)?
Possibly related to IKE keepalives? If it was anything graceful there would be a different delete reason. Is the reason always the same?
Maybe you could try remove iksamp keepalives and see if the tunnels stays up?
Marcin
07-07-2010 11:46 AM
they are both running 8.3(1)4 and yes it is a L2L tunnel. I will disable keep alives, as well.
07-07-2010 11:51 AM
David,
This is of course a test, only.To see if the drop is related to keepalives or some real connectivity issue keepalives are detecting.
In normal scenario you would want to have isakmp keepalives enabled on both sides.
Is there any chance any of the sides has idle timeout or anything of that sort configured?
-------
show run crypto
show run tunnel-g
show run group-po
--------
taken on both sides would help.
And after "lost service" is reported:
--------
show crypto isa sa
show crypto ipsec sa
--------
also from both sides.
We want to check the config and state of negotiation after tunnel drops.
Marcin
07-07-2010 12:07 PM
Far End:
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy toCorporateGrpPolicy
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
group-policy toCorporateGrpPolicy internal
group-policy toCorporateGrpPolicy attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
sh crypto isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
sho crypto ipsec sa
There are no ipsec sas
Near End:
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy toDRGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
group-policy toDRGrpPolicy internal
group-policy toDRGrpPolicy attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
sh crypto isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
sh crypto ipsec sa
There are no ipsec sas
07-07-2010 12:12 PM
David,
This has connectivity problem written all over it.
Far end:
1 IKE Peer: 2.2.2.2
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
We received Main mode message 1, sent main mode message 2, we're waiting for main mode message 3 from other side.
Near end:
1 IKE Peer: 1.1.1.1
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
We've send main mode message 1, and we're waiting for message 2.
If the two outputs were taken at the same time, there's something blocking IKE... ie. something is blocking udp/500 message from far end to near end. Near to far appears to be fine.
Marcin
07-07-2010 12:57 PM
I think we were saturating out internet connection we have a 50/20M fios connections and we are transmitting
20Mbps.
07-07-2010 01:34 PM
David,
That indeed could be the reason.
Any chance you can apply some sort of shaping? (Bad comes to worse ASA can do it quite decently, but only in outbound direction AFAIR)
Marcin
07-07-2010 01:42 PM
Investigating that now. Thanks for you help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: