03-16-2014 03:30 AM - edited 03-11-2019 08:57 PM
I am required to setup a L2L vpn tunnel on our ASA firewall to a 3rd Party that we need to access for administration (they won’t setup a remote access one), this needs to be accessible by engineers in the field so I have setup a remote access VPN for our engineers to connect to our firewall these then have access (hairpinning) over the L2L VPN to the 3rd Party.
The firewalls are ASA’s at both ends (I’ve no access to the 3rd parties ASA) ours is running 9.1(4).
The L2L VPN is for accessing PBX equipment, so although the L2L tunnel is bi-directional it is only ever initiated from our end.
The engineers remote access VPN’s connect without problem.
However there is a strange issue with the L2L VPN which I can’t find the cause of.
The first time the L2L VPN is accessed (after an ASA reboot or it’s left for a day or so) all is well, (a remote access VPN user tries to connect to the PBX equipment, it brings the L2L tunnel up and they can access the remote equipment no problem).
However when the remote access user disconnects and the L2L tunnel is left unused it drops after approx 30 mins, if a user then tries to connect again soon after it won’t bring the L2L tunnel up.
(I thought it might be a bug but I’ve tried it on 8.4(2), 8.4(4) and 9.1(4) and the issue is the same on all versions).
A debug of what happens when a remote access VPN user tries to bring the L2L VPN up and it fails is below……
ASA# debug crypto ike-common 255
ASA# debug crypto ipsec 255
ASA# debug crypto ikev2 prot 255
ASA# debug crypto ikev2 plat 255
ASA# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:31 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:34 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:40 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
The VPN settings for the L2L VPN and Remote access VPN from our ASA are shown below….
Site to Site tunnel VPN settings….
same-security-traffic permit intra-interface
object network Remote-ASA
host 217.x.x.x
object network RA-VPN-local
subnet 10.10.222.0 255.255.255.0
object network Remote-servers
subnet 10.200.222.0 255.255.255.0
access-list Security-ACL extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0
access-list Security-ACL extended permit ip 10.200.222.0 255.255.255.0 10.10.222.0 255.255.255.0
access-list Interesting-traffic extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0
nat (outside,outside) source static RA-VPN-local RA-VPN-local destination static Remote-servers Remote-servers no-proxy-arp route-lookup
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto map map002 3 match address Interesting-traffic
crypto map map002 3 set peer Remote-ASA
crypto map map002 3 set ikev2 ipsec-proposal AES256
crypto map map002 interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
group-policy L2L-policy internal
group-policy L2L-policy attributes
vpn-filter value Security-ACL
vpn-tunnel-protocol ikev2
tunnel-group 217.x.x.x type ipsec-l2l
tunnel-group 217.x.x.x general-attributes
default-group-policy L2L-policy
tunnel-group 217.x.x.x ipsec-attributes
isakmp keepalive threshold infinite
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Remote access VPN settings….
ip local pool pool-4 10.10.222.1-10.10.222.100 mask 255.255.255.0
access-list Split_Tunnel standard permit 10.200.222.0 255.255.255.0
crypto ipsec ikev1 transform-set anno3DESSHA esp-3des esp-sha-hmac
crypto dynamic-map anno 10 set pfs group1
crypto dynamic-map anno 10 set ikev1 transform-set anno3DESSHA
crypto dynamic-map anno 10 set security-association lifetime seconds 3600
crypto dynamic-map anno 10 set security-association lifetime kilobytes 4608000
crypto map map002 70 ipsec-isakmp dynamic anno
crypto map map002 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy RA-VPN-Group internal
group-policy RA-VPN-Group attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
tunnel-group RA-VPN-Tunnel type remote-access
tunnel-group RA-VPN-Tunnel general-attributes
address-pool pool-4
authentication-server-group RAD LOCAL
default-group-policy RA-VPN-Group
tunnel-group RA-VPN-Tunnel ipsec-attributes
ikev1 pre-shared-key *****
Can anyone give me some clues?
03-19-2014 03:37 AM
If it helps anyone the fix for this was to add the command.... crypto isakmp disconnect-notify at both ends.
04-06-2015 07:09 PM
I had the same issue and this fixed it for me. thanks Mike.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: