Cisco ASA VPN duplicate entry

mike.f — Tue, 12 Mar 2019 03:57:06 GMT

I am required to setup a L2L vpn tunnel on our ASA firewall to a 3^rd Party that we need to access for administration (they won’t setup a remote access one), this needs to be accessible by engineers in the field so I have setup a remote access VPN for our engineers to connect to our firewall these then have access (hairpinning) over the L2L VPN to the 3^rd Party.

The firewalls are ASA’s at both ends (I’ve no access to the 3^rd parties ASA) ours is running 9.1(4).

The L2L VPN is for accessing PBX equipment, so although the L2L tunnel is bi-directional it is only ever initiated from our end.

The engineers remote access VPN’s connect without problem.

However there is a strange issue with the L2L VPN which I can’t find the cause of.

The first time the L2L VPN is accessed (after an ASA reboot or it’s left for a day or so) all is well, (a remote access VPN user tries to connect to the PBX equipment, it brings the L2L tunnel up and they can access the remote equipment no problem).

However when the remote access user disconnects and the L2L tunnel is left unused it drops after approx 30 mins, if a user then tries to connect again soon after it won’t bring the L2L tunnel up.

(I thought it might be a bug but I’ve tried it on 8.4(2), 8.4(4) and 9.1(4) and the issue is the same on all versions).

A debug of what happens when a remote access VPN user tries to bring the L2L VPN up and it fails is below……

ASA# debug crypto ike-common 255

ASA# debug crypto ipsec 255

ASA# debug crypto ikev2 prot 255

ASA# debug crypto ikev2 plat 255

ASA# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873

IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.

IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.

IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.

Mar 15 17:37:31 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873

IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.

IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.

IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.

Mar 15 17:37:34 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873

IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.

IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.

IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.

Mar 15 17:37:40 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

The VPN settings for the L2L VPN and Remote access VPN from our ASA are shown below….

Site to Site tunnel VPN settings….

same-security-traffic permit intra-interface

object network Remote-ASA

host 217.x.x.x

object network RA-VPN-local

subnet 10.10.222.0 255.255.255.0

object network Remote-servers

subnet 10.200.222.0 255.255.255.0

access-list Security-ACL extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0

access-list Security-ACL extended permit ip 10.200.222.0 255.255.255.0 10.10.222.0 255.255.255.0

access-list Interesting-traffic extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0

nat (outside,outside) source static RA-VPN-local RA-VPN-local destination static Remote-servers Remote-servers no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1

crypto map map002 3 match address Interesting-traffic

crypto map map002 3 set peer Remote-ASA

crypto map map002 3 set ikev2 ipsec-proposal AES256

crypto map map002 interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 28800

crypto ikev2 enable outside

group-policy L2L-policy internal

group-policy L2L-policy attributes

vpn-filter value Security-ACL

vpn-tunnel-protocol ikev2

tunnel-group 217.x.x.x type ipsec-l2l

tunnel-group 217.x.x.x general-attributes

default-group-policy L2L-policy

tunnel-group 217.x.x.x ipsec-attributes

isakmp keepalive threshold infinite

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

Remote access VPN settings….

ip local pool pool-4 10.10.222.1-10.10.222.100 mask 255.255.255.0

access-list Split_Tunnel standard permit 10.200.222.0 255.255.255.0

crypto ipsec ikev1 transform-set anno3DESSHA esp-3des esp-sha-hmac

crypto dynamic-map anno 10 set pfs group1

crypto dynamic-map anno 10 set ikev1 transform-set anno3DESSHA

crypto dynamic-map anno 10 set security-association lifetime seconds 3600

crypto dynamic-map anno 10 set security-association lifetime kilobytes 4608000

crypto map map002 70 ipsec-isakmp dynamic anno

crypto map map002 interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy RA-VPN-Group internal

group-policy RA-VPN-Group attributes

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel

tunnel-group RA-VPN-Tunnel type remote-access

tunnel-group RA-VPN-Tunnel general-attributes

address-pool pool-4

authentication-server-group RAD LOCAL

default-group-policy RA-VPN-Group

tunnel-group RA-VPN-Tunnel ipsec-attributes

ikev1 pre-shared-key *****

Can anyone give me some clues?

If it helps anyone the fix

mike.f — Wed, 19 Mar 2014 10:37:18 GMT

If it helps anyone the fix for this was to add the command.... crypto isakmp disconnect-notify at both ends.

I had the same issue and this

rolig0507 — Tue, 07 Apr 2015 02:09:51 GMT

I had the same issue and this fixed it for me. thanks Mike.

topic I had the same issue and this in Network Security

Cisco ASA VPN duplicate entry

If it helps anyone the fix

I had the same issue and this