891 Router Configured with EZ VPN

CSSW Computers · ‎10-11-2013

I'm very new to router configurations. I have a 891 router in a remote office that is setup with EZ VPN back to my ASA 5512x firewall. The connection at the remote office is a DSL line and in the past it has had infrequent problems where the EZ VPN connection would drop. The remote office would have to power cycle the router to re-establish the VPN session. As of last Monday the 891 router is now losing it's EZ VPN connection every night. At first I thought it had to be the ISP. But I setup a ping to file over an entire evening to the IP address of the dsl modem and other than a couple request time outs in a two hour period the modem never looses signal. So I'm starting to think it's the router just dropping the vpn session. I know I'm not offering up a lot of configuration information. Mainly because I can't access the router at this point so I can't post it's config. But I was just wondering if anyone would be willing to point me in a direction. Is there any logging I can setup on the router to see whats happening with the VPN connection. Also if the VPN is dropping why doesn't it just come back up and try and reestablish?

Thanks in advance for any assistance.

BP

paolo bevilacqua · ‎10-12-2013

Wrong forum, post in "WAN and switching". You can move your posting with the Actions panel on the right.

rizwanr74 · ‎10-12-2013

Hi Brian

"s there any logging I can setup on the router to see whats happening with the VPN connection. Also if the VPN is dropping why doesn't it just come back up and try and reestablish?"

To answer your question, the vpn tunnel will stay on, as long as traffic travers via the tunnel.

You maybe able ping other end of the tunnel (to router's side) when tunnel established then RDP to local machine and from the local machine you maybe able to log on router's inside interface address telnet via putty.

I hope this helps.

Thanks

Rizwan Rafeek.

CSSW Computers · ‎10-14-2013

Thanks Rizwanr74,

I was able to setup logging on my ASA end and I finally found a log that makes sense. Says Session is being torn down. Reason: Administrator Reset. The only problem is I'm not resetting anything so i don't understand the error message.

%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, IKE SA AM:7f6ec475 terminating: flags 0x4100c401, refcnt 0, tuncnt 0

%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, sending delete/delete with reason message

%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing blank hash payload

%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing IKE delete payload

%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing qm hash payload

%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=740473c8) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, sending delete/delete with reason message

%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing blank hash payload

%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing IPSec delete payload

%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing qm hash payload

%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=a65ae4ae) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68

%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, Active unit receives a delete event for remote peer x.x.x.x.

%ASA-7-715009: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 192.168.10.0, Local Proxy 0.0.0.0

%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, IKE SA AM:a9e3c1b9 rcv'd Terminate: state AM_ACTIVE flags 0x4021c0c1, refcnt 1, tuncnt 0

%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, IKE SA AM:a9e3c1b9 terminating: flags 0x4121c001, refcnt 0, tuncnt 0

%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, sending delete/delete with reason message

%ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0x23E439E4) between x.x.x.x and x.x.x.x (user= LA-EZVPN-RTR) has been deleted.

%ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0x5AE73792) between 99.67.47.206 and 173.8.118.93 (user= LA-EZVPN-RTR) has been deleted.

%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing blank hash payload

%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing IKE delete payload

%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing qm hash payload

%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=8e2a94fd) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

%ASA-7-715077: Pitcher: received key delete msg, spi 0x5ae73792

%ASA-5-713259: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, Session is being torn down. Reason: Administrator Reset

%ASA-4-113019: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, Session disconnected. Session Type: IPsecOverNatT, Duration: 20h:48m:36s, Bytes xmt: 1844184, Bytes rcv: 1271297, Reason: Administrator Reset

%ASA-7-713906: Ignoring msg to mark SA with dsID 159744 dead because SA deleted %ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, IKE SA AM:7f6ec475 terminating: flags 0x4100c401, refcnt 0, tuncnt 0
%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, sending delete/delete with reason message
%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing blank hash payload
%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing IKE delete payload
%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing qm hash payload
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=740473c8) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, sending delete/delete with reason message
%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing blank hash payload
%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing IPSec delete payload
%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing qm hash payload
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=a65ae4ae) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, Active unit receives a delete event for remote peer x.x.x.x.
%ASA-7-715009: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 192.168.10.0, Local Proxy 0.0.0.0
%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, IKE SA AM:a9e3c1b9 rcv'd Terminate: state AM_ACTIVE flags 0x4021c0c1, refcnt 1, tuncnt 0
%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, IKE SA AM:a9e3c1b9 terminating: flags 0x4121c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, sending delete/delete with reason message
%ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0x23E439E4) between x.x.x.x and x.x.x.x (user= LA-EZVPN-RTR) has been deleted.
%ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0x5AE73792) between 99.67.47.206 and 173.8.118.93 (user= LA-EZVPN-RTR) has been deleted.
%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing blank hash payload
%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing IKE delete payload
%ASA-7-715046: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, constructing qm hash payload
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=8e2a94fd) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-7-715077: Pitcher: received key delete msg, spi 0x5ae73792
%ASA-7-715077: Pitcher: received key delete msg, spi 0x5ae73792
%ASA-5-713259: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, Session is being torn down. Reason: Administrator Reset
%ASA-4-113019: Group = EZVPN-TG, Username = LA-EZVPN-RTR, IP = x.x.x.x, Session disconnected. Session Type: IPsecOverNatT, Duration: 20h:48m:36s, Bytes xmt: 1844184, Bytes rcv: 1271297, Reason: Administrator Reset
%ASA-7-713906: Ignoring msg to mark SA with dsID 159744 dead because SA deleted

rizwanr74 · ‎10-14-2013

Hi Brian,

there is a timeout taking place on the active tunnel.

ASA(config)#group-policy DfltGrpPolicy attributes

ASA(config-group-policy)#vpn-idle-timeout none

Router(config) crypto ipsec security-association idle-time seconds 86400

Let me know, if this helps.

thanks

CSSW Computers · ‎10-14-2013

I thought that, so on the ASA I put the connection time out group policy to unlimited. Still having the same problem. Unless I placed that value in the wrong place in ASDM. See picture is this the location in ASDM where I should place the ASA VPN timeout? My initial thought when I saw this was well why is it timing out now? I'm not sure if I mentioned this above but the VPN tunnel has been running great since it was first installed in June. It just now started having issues with connection.

rizwanr74 · ‎10-15-2013

Hi Brian,

Can you please post the configs from both devices?

thanks