03-29-2011 03:59 AM
Hello
I have a L2L IPSEC tunnel between a set of failover pair of two ASA5510's and a single ASA5505. Over time they will loose connectivity through the tunnel. The tunnel itself stays up, but cannot pass any traffic.
When looking at the tunnel I always see this on the set of 5510's (marked in bold @ IPSEC ID 3):
advdns# sh vpn-sessiondb detail l2l filter ipaddress 93.160.2xx.1xx
Session Type: LAN-to-LAN Detailed
Connection : 93.160.2xx.1xx
Index : 14 IP Addr : K015-Peer
Protocol : IPSecLAN2LAN Encryption : 3DES
Hashing : SHA1
Bytes Tx : 430820527 Bytes Rx : 9869311
Login Time : 01:16:13 CEDT Mon Mar 28 2011
Duration : 7h:46m:47s
Filter Name : K015-L2L-filter
IKE Sessions: 1
IPSec Sessions: 2
IKE:
Session ID : 1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : 3DES Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 58390 Seconds
D/H Group : 2
IPSec:
Session ID : 2
Local Addr : HOST_RDC001/255.255.255.255/0/0
Remote Addr : 192.168.15.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 25270 Seconds
Rekey Int (D): 413696 K-Bytes Rekey Left(D): 413688 K-Bytes
Bytes Tx : 24387 Bytes Rx : 12754
Pkts Tx : 195 Pkts Rx : 195
IPSec:
Session ID : 3
Local Addr : 10.30.15.0/255.255.255.0/0/0
Remote Addr : 192.168.15.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 25715 Seconds
Rekey Int (D): 413696 K-Bytes Rekey Left(D): 1 K-Bytes
Bytes Tx : 430796140 Bytes Rx : 9856557
Pkts Tx : 385454 Pkts Rx : 207904
This is the result of the same command at the ASA5505 end of the tunnel:
Pff# sh vpn-sessiondb detail l2l
Session Type: LAN-to-LAN Detailed
Connection : 83.136.xx.xxx
Index : 1 IP Addr : 83.136.xx.xxx
Protocol : IPSecLAN2LAN Encryption : 3DES
Hashing : SHA1
Bytes Tx : 9869359 Bytes Rx : 430815282
Login Time : 14:00:28 UTC Sun Mar 27 2011
Duration : 7h:47m:00s
Filter Name :
IKE Sessions: 1
IPSec Sessions: 2
IKE:
Session ID : 1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : 3DES Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 58381 Seconds
D/H Group : 2
IPSec:
Session ID : 2
Local Addr : 192.168.15.0/255.255.255.0/0/0
Remote Addr : 10.1.11.1/255.255.255.255/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 25256 Seconds
Rekey Int (D): 4275000 K-Bytes Rekey Left(D): 4274992 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 12754 Bytes Rx : 24387
Pkts Tx : 195 Pkts Rx : 195
IPSec:
Session ID : 3
Local Addr : 192.168.15.0/255.255.255.0/0/0
Remote Addr : 10.30.15.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 25701 Seconds
Rekey Int (D): 4275000 K-Bytes Rekey Left(D): 3861311 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Bytes Tx : 9856605 Bytes Rx : 430790895
Pkts Tx : 207905 Pkts Rx : 385265
On the ASA5505 I can see the following in the log:
Mar 27 2011 21:21:17: %ASA-4-402120: IPSEC: Received an ESP packet (SPI= 0xBB2A21CF, sequence number= 0x1BB08) from 83.136.xx.xxx (user= 83.136.xx.xxx) to 93.160.2xx.1xx that failed authentication.
Mar 27 2011 21:26:12: %ASA-4-402120: IPSEC: Received an ESP packet (SPI= 0xBB2A21CF, sequence number= 0x2EF6E) from 83.136.xx.xxx (user= 83.136.xx.xxx) to 93.160.2xx.1xx that failed authentication.
It has done this 4-5 times now, so i dont think it is a temporary problem. The ASA5505 has been rebooted several times.. Rebooting the failover 5510 is not an option. The 5510 currently holds over 50 IPSEC tunnels and this is the only one behaving like this.
If I do a clear cry ips sa peer "IP of the 5505", then the tunnel goes functional again.
The SW version is:
5510: 7.2.(4)9
5505: 7.2.(4)
This is the configuration that I use for the tunnel:
5510:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 15 match address K015-L2L-list
crypto map outside_map 15 set peer K015-Peer
crypto map outside_map 15 set transform-set ESP-3DES-SHA
crypto map outside_map 15 set security-association lifetime seconds 28800
crypto map outside_map 15 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
5505:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map VPNMAP 10 match address Hosting_List
crypto map VPNMAP 10 set peer 83.136.xx.xxx
crypto map VPNMAP 10 set transform-set ESP-3DES-SHA
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Any of you got any good ideas?
Best regards,
Jesper Ross
Solved! Go to Solution.