Who Me Too'd this topic

Hello

I have a L2L IPSEC tunnel between a set of failover pair of two ASA5510's and a single ASA5505. Over time they will loose connectivity through the tunnel. The tunnel itself stays up, but cannot pass any traffic.

When looking at the tunnel I always see this on the set of 5510's (marked in bold @ IPSEC ID 3):

advdns# sh vpn-sessiondb detail l2l filter ipaddress 93.160.2xx.1xx

Session Type: LAN-to-LAN Detailed

Connection   : 93.160.2xx.1xx
Index        : 14                     IP Addr      : K015-Peer
Protocol     : IPSecLAN2LAN           Encryption   : 3DES
Hashing      : SHA1
Bytes Tx     : 430820527              Bytes Rx     : 9869311
Login Time   : 01:16:13 CEDT Mon Mar 28 2011
Duration     : 7h:46m:47s
Filter Name  : K015-L2L-filter

IKE Sessions: 1
IPSec Sessions: 2

IKE:
  Session ID   : 1
  UDP Src Port : 500                    UDP Dst Port : 500
  IKE Neg Mode : Main                   Auth Mode    : preSharedKeys
  Encryption   : 3DES                   Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 58390 Seconds
  D/H Group    : 2

IPSec:
  Session ID   : 2
  Local Addr   : HOST_RDC001/255.255.255.255/0/0
  Remote Addr  : 192.168.15.0/255.255.255.0/0/0
  Encryption   : 3DES                   Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 25270 Seconds
  Rekey Int (D): 413696 K-Bytes         Rekey Left(D): 413688 K-Bytes
  Bytes Tx     : 24387                  Bytes Rx     : 12754
  Pkts Tx      : 195                    Pkts Rx      : 195

IPSec:
  Session ID   : 3
  Local Addr   : 10.30.15.0/255.255.255.0/0/0
  Remote Addr  : 192.168.15.0/255.255.255.0/0/0
  Encryption   : 3DES                   Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 25715 Seconds
  Rekey Int (D): 413696 K-Bytes         Rekey Left(D): 1 K-Bytes
  Bytes Tx     : 430796140              Bytes Rx     : 9856557
  Pkts Tx      : 385454                 Pkts Rx      : 207904

This is the result of the same command at the ASA5505 end of the tunnel:

Pff# sh vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection   : 83.136.xx.xxx
Index        : 1                      IP Addr      : 83.136.xx.xxx
Protocol     : IPSecLAN2LAN           Encryption   : 3DES
Hashing      : SHA1
Bytes Tx     : 9869359                Bytes Rx     : 430815282
Login Time   : 14:00:28 UTC Sun Mar 27 2011
Duration     : 7h:47m:00s
Filter Name  :

IKE Sessions: 1
IPSec Sessions: 2

IKE:
  Session ID   : 1
  UDP Src Port : 500                    UDP Dst Port : 500
  IKE Neg Mode : Main                   Auth Mode    : preSharedKeys
  Encryption   : 3DES                   Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 58381 Seconds
  D/H Group    : 2

IPSec:
  Session ID   : 2
  Local Addr   : 192.168.15.0/255.255.255.0/0/0
  Remote Addr  : 10.1.11.1/255.255.255.255/0/0
  Encryption   : 3DES                   Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 25256 Seconds
  Rekey Int (D): 4275000 K-Bytes        Rekey Left(D): 4274992 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
  Bytes Tx     : 12754                  Bytes Rx     : 24387
  Pkts Tx      : 195                    Pkts Rx      : 195

IPSec:
  Session ID   : 3
  Local Addr   : 192.168.15.0/255.255.255.0/0/0
  Remote Addr  : 10.30.15.0/255.255.255.0/0/0
  Encryption   : 3DES                   Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 25701 Seconds
  Rekey Int (D): 4275000 K-Bytes        Rekey Left(D): 3861311 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
  Bytes Tx     : 9856605                Bytes Rx     : 430790895
  Pkts Tx      : 207905                 Pkts Rx      : 385265

On the ASA5505 I can see the following in the log:

Mar 27 2011 21:21:17: %ASA-4-402120: IPSEC: Received an ESP packet (SPI= 0xBB2A21CF, sequence number= 0x1BB08) from 83.136.xx.xxx (user= 83.136.xx.xxx) to 93.160.2xx.1xx that failed authentication.
Mar 27 2011 21:26:12: %ASA-4-402120: IPSEC: Received an ESP packet (SPI= 0xBB2A21CF, sequence number= 0x2EF6E) from 83.136.xx.xxx (user= 83.136.xx.xxx) to 93.160.2xx.1xx that failed authentication.

It has done this 4-5 times now, so i dont think it is a temporary problem. The ASA5505 has been rebooted several times.. Rebooting the failover 5510 is not an option. The 5510 currently holds over 50 IPSEC tunnels and this is the only one behaving like this.

If I do a clear cry ips sa peer "IP of the 5505", then the tunnel goes functional again.

The SW version is:

5510:     7.2.(4)9

5505:     7.2.(4)

This is the configuration that I use for the tunnel:

5510:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 15 match address K015-L2L-list
crypto map outside_map 15 set peer K015-Peer
crypto map outside_map 15 set transform-set ESP-3DES-SHA
crypto map outside_map 15 set security-association lifetime seconds 28800
crypto map outside_map 15 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

5505:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map VPNMAP 10 match address Hosting_List
crypto map VPNMAP 10 set peer 83.136.xx.xxx
crypto map VPNMAP 10 set transform-set ESP-3DES-SHA
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

Any of you got any good ideas?

Best regards,

Jesper Ross