Solved: ASA site to site VPN and SSL VPN

aung.htwe · ‎03-23-2013

Hi,

Already configured site to site vpn for two sites. Now I trying to configure remote access vpn to one site.

But I start config some command as below for remote access vpn, the existing site to site vpn auto disconnected.

no crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

Please help me to check.

Thanks,

Ko Htwe

mabuarja · ‎03-23-2013

hi,

you can only have one crypto map for an interface , so you need to configure both tunnels (site to site & remote access) in one crypto map with different sequesnce number. please make sure that the sequence number for the remote access is higher than it for the site to site.

also you can get this command back to the config , why did you remove it.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

if you still have a problem , please share the configuration.

Regards,

Mohammad

View solution in original post

mabuarja · ‎03-23-2013

apply the below changes to have only one crypto map; then bot connections will work.

no crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

no crypto map outside_map interface Outside

crypto map IPSec_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map IPSec_map interface outside

Regards,

Mohammad

View solution in original post

Jouni Forss · ‎03-28-2013

Hi,

The warning message

WARNING: The crypto map entry is incomplete!

Usually means one of the following

You dont have the Peer IP set with the "crypto map set peer" command
You dont have the interesting traffic ACL set with the "crypto map match address command
You dont have the Transformset set with the "crypto map set transform-set " command

- Jouni

View solution in original post

Jouni Forss · ‎03-28-2013

Hi,

Heres some suggestions for changes. Especially the changes on the Site1 configurations will affect your current Site1 and Site2 connection but only for a short time until the changes are done.

Site1

I suggest that you dont use the same ACL for both NAT0 and BOTH L2L VPN connections. Create own ACL for each purpose to avoid problems.

Create new NAT0 configuration for both the L2L VPN conenctions

access-list INSIDE-NAT0 permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

no nat (Inside) 0 access-list 101

nat (Inside) 0 access-list INSIDE-NAT0

Remove the Site1 -> Site2 ACL rule from the ACL 101 and create a new ACL for the Site 1 -> Site 3 L2L VPN

no access-list 101 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 102 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

no crypto map IPSec_map 20 match address 101

crypto map IPSec_map 20 match address 102

In the above "crypto map" configuration make sure that I got the right connections "match address" line.

Site 3

Create the missing NAT0 rule on the Site 3

access-list INSIDE-NAT0 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

- Jouni

View solution in original post

Jouni Forss · ‎03-28-2013

Hi,

Are you sure these are the correct configurations.

In the reply and link before the attached configs tell the configurations are for Site 1 and Site 3

Now you attached configs for Site 2 and Site 3 and the Site 2 configurations is the same as Site 1 in the previous reply.

So the information is to say the least a bit confusing.

The configurations between your sites should be pretty simple to build. The original problem was that you were using the ACL named "101" in the NAT0 configurations and in BOTH L2L VPN configurations. This is something you shouldnt do. You should have own ACLs for every purpose to avoid problems

Provided you only want this

Main Site must be able to connect to the 2 Remote Sites
They must do so with their original IP address

You will have to make sure what each site has the following configurations

Central Site

access-list INSIDE-NAT0 permit ip

nat (inside) 0 access-list INSIDE-NAT0

access-list REMOTE-SITE-1 permit ip

crypto map match address REMOTE-SITE-1

access-list REMOTE-SITE-2 permit ip

crypto map match address REMOTE-SITE-2

Remote Site 1

access-list INSIDE-NAT0 permit ip

nat (inside) 0 access-list INSIDE-NAT0

access-list CENTRAL-SITE permit ip

crypto map match address CENTRAL-SITE

Remote Site 2

access-list INSIDE-NAT0 permit ip

nat (inside) 0 access-list INSIDE-NAT0

access-list CENTRAL-SITE permit ip

crypto map match address CENTRAL-SITE

You just have to make sure the above things are done

NAT0 configured for the traffic between local and remote network (Make a separate ACL for this like above)
The local and remote networks need to be defined in the "crypto map match address " configuration line. (Make a separate ACL for this like above. DONT USE the NAT0 ACL!)

Following this should already get you pretty far.

If you are testing with ICMP/PING then add "fixup protocol icmp" in every ASA to enable ICMP inspection.

- Jouni

View solution in original post

Jouni Forss · ‎04-16-2013

Hi,

It would seem to me that you have 8h lifetime set in time and the 4,6Gb lifetime in data with the following commands

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

Have you checked your ASA logs why the connections are being teardown by the ASA?

What are you using to transfer the files? FTP or something else?

What are your connection timeouts? (show run timeout)

I wonder if the Data lifetime amount would be something that is causing this. I would have to refresh my own knowledge about the lifetime values to anything for certain. If you would change those you would be better of changing them in the "crypto map" configuration lines for the said connection ONLY on both endpoints.

But I would first try to look for logs messages of these connections that are being teardown after 50 minutes before I would make any bigger changes. SInce those changes would cause a brief downtime for the whole L2L VPN.

- Jouni

View solution in original post

Jouni Forss · ‎04-19-2013

Hi,

As you can see this output doesnt include or say anything about the network 192.168.50.0/24. Had you tested some traffic through the VPN Client before you took the output?

If you did it would seem to me that traffic is not getting forwarded from the VPN Client at HQ to the L2L VPN heading to the remote site.

It would probably be the easiest if you could share configurations of the HQ ASA and Remote Site ASAs so we could go through all the configurations and see what the problem might be.

- Jouni

View solution in original post

Jouni Forss · ‎04-20-2013

Hi,

I would suggest the following changes to you configurations

HQ ASA

access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0

access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0

access-list SPLIT-TUNNEL standard permit 192.168.110.0 255.255.255.0

access-list SPLIT-TUNNEL standard permit 192.168.120.0 255.255.255.0

group-policy vpngroup1 attributes

no split-tunnel-network-list value splittun-vpngrup1

split-tunnel-network-list value SPLIT-TUNNEL

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

ASA REMOTE 1

access-list outside_cryptomap_2 extended permit ip 192.168.120.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.120.0 255.255.255.0 192.168.50.0 255.255.255.0

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

ASA REMOTE 2

access-list outside_cryptomap_1 extended permit ip 192.168.110.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.110.0 255.255.255.0 192.168.50.0 255.255.255.0

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

ASA REMOTE 3

access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

So basically you have configure most of the HQ ASA correctly though I suggest doing the above changes to the Split Tunnel Configuration and adding the ICMP Inspection configurations

All the REMOTE SITES basicly lack the same configurations. They dont have any L2L VPN ACL rule that tells that traffic from their own LAN to the VPN Pool of 192.168.50.0/24 should be forwarded to the L2L VPN connection towards the HQ SITE.

In the same way they are also lacking the proper NAT0 configurations for that same trafffic described above.

Adding these should handle the needed configurations to make it possible for users connecting through HQ ASA VPN Client connection to connect also to the REMOTE SITE LAN networks.

Remember to mark the reply as an correct answer if it did answer your question. And remember to rate all helpfull answers

Ask more if needed.

- Jouni

View solution in original post

mabuarja · ‎03-23-2013

hi,

you can only have one crypto map for an interface , so you need to configure both tunnels (site to site & remote access) in one crypto map with different sequesnce number. please make sure that the sequence number for the remote access is higher than it for the site to site.

also you can get this command back to the config , why did you remove it.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

if you still have a problem , please share the configuration.

Regards,

Mohammad

aung.htwe · ‎03-23-2013

Hi Mohammad,

Thanks your reply.

My site to site vpn config and remote access vpn as below; please check for me, thanks

>>>>>>>>>>>Site to Site VPN Configuration<<<<<<<<<<

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

tunnel-group 49.63.134.194 type ipsec-l2l

tunnel-group 49.63.134.194 ipsec-attributes

pre-shared-key Cisc0xVppN

crypto map IPSec_map 10 match address 101

crypto map IPSec_map 10 set peer 49.63.134.194

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside

>>>>>>>>>>>>>Remote Access VPN Configuration<<<<<<<<<<<<<<

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

auteh pre-share

encryption 3des

hash sha

group2

lifetime 86400

crypto isakmp nat-traversal 20

ip local pool ippool 192.168.50.10-192.168.50.40 mask 255.255.255.0

group-policy vpngroup1 internal

group-policy vpngroup1 attributes

dns-server value 192.168.1.23 165.21.83.8

default-domain value Bravo.local

split-dns value Bravo.local

access-list splittun-vpngrup1 extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittun-vpngroup

tunnel-group vpngroup1 type ipsec-ra

tunnel-group vpngroup1 general-attributes

address-pool ippool

default-group-policy vpngroup1

tunnel-group vpngroup1 ipsec-attributes

pre-shared-key Share@@K3i

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list nonat

username admin password P@ssw0rt#

Thanks,

Ko Htwe

mabuarja · ‎03-23-2013

apply the below changes to have only one crypto map; then bot connections will work.

no crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

no crypto map outside_map interface Outside

crypto map IPSec_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map IPSec_map interface outside

Regards,

Mohammad

aung.htwe · ‎03-24-2013

Thanks Mohammad Abu Arja,

Now All are working fine.

Can you share me some refrence link for VPN and radius authentication with domain authentication.

Thanks

Ko Htwe

aung.htwe · ‎03-28-2013

Hi,

Already created site to site vpn ( site 1 and site 2)

All are woking fine.

Now I want to create site to site vpn ( site 3 and site1)

I cannot access to remote site, when i configure , i got warning message as below; pls help me to check.

WARNING: The crypto map entry is incomplete!

Site 1 and site 3 config is attached pls check for me.

http://www.sendspace.com/file/p8duww

Thanks, Ko Htwe

Jouni Forss · ‎03-28-2013

Hi,

The warning message

WARNING: The crypto map entry is incomplete!

Usually means one of the following

You dont have the Peer IP set with the "crypto map set peer" command
You dont have the interesting traffic ACL set with the "crypto map match address command
You dont have the Transformset set with the "crypto map set transform-set " command

- Jouni

aung.htwe · ‎03-28-2013

Hi Jouni,

Already added but still cannot , pls check for me config.Need to change something

http://www.sendspace.com/file/5zh04p

Thanks,

Ko Htwe

Jouni Forss · ‎03-28-2013

Hi,

Heres some suggestions for changes. Especially the changes on the Site1 configurations will affect your current Site1 and Site2 connection but only for a short time until the changes are done.

Site1

I suggest that you dont use the same ACL for both NAT0 and BOTH L2L VPN connections. Create own ACL for each purpose to avoid problems.

Create new NAT0 configuration for both the L2L VPN conenctions

access-list INSIDE-NAT0 permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

no nat (Inside) 0 access-list 101

nat (Inside) 0 access-list INSIDE-NAT0

Remove the Site1 -> Site2 ACL rule from the ACL 101 and create a new ACL for the Site 1 -> Site 3 L2L VPN

no access-list 101 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 102 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0

no crypto map IPSec_map 20 match address 101

crypto map IPSec_map 20 match address 102

In the above "crypto map" configuration make sure that I got the right connections "match address" line.

Site 3

Create the missing NAT0 rule on the Site 3

access-list INSIDE-NAT0 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

- Jouni

aung.htwe · ‎03-28-2013

Hi Jouni,

Already did but cannot.

Now I clear the vpn configuration for site 2 and site 3.

then i reconfig the vpn for site 2 and 3 also cannot.

kindly check my config.

site 3 ip config as below

out interface

ip address 203.117.160.62

in side interface 192.168.0.1

internet configuration is here

"

global (outside) 101 203.116.69.33

nat (inside) 101 192.168.0.0 255.255.255.0

static (inside,outside) 203.116.69.32 192.168.0.2 netmask 255.255.255.255

access-group outside_in in interface outside

"

full config pls see in link http://www.sendspace.com/file/5mj9cw

kindly advise me for vpn config.

Thanks,

Ko Htwe

Jouni Forss · ‎03-28-2013

Hi,

Are you sure these are the correct configurations.

In the reply and link before the attached configs tell the configurations are for Site 1 and Site 3

Now you attached configs for Site 2 and Site 3 and the Site 2 configurations is the same as Site 1 in the previous reply.

So the information is to say the least a bit confusing.

The configurations between your sites should be pretty simple to build. The original problem was that you were using the ACL named "101" in the NAT0 configurations and in BOTH L2L VPN configurations. This is something you shouldnt do. You should have own ACLs for every purpose to avoid problems

Provided you only want this

Main Site must be able to connect to the 2 Remote Sites
They must do so with their original IP address

You will have to make sure what each site has the following configurations

Central Site

access-list INSIDE-NAT0 permit ip

nat (inside) 0 access-list INSIDE-NAT0

access-list REMOTE-SITE-1 permit ip

crypto map match address REMOTE-SITE-1

access-list REMOTE-SITE-2 permit ip

crypto map match address REMOTE-SITE-2

Remote Site 1

access-list INSIDE-NAT0 permit ip

nat (inside) 0 access-list INSIDE-NAT0

access-list CENTRAL-SITE permit ip

crypto map match address CENTRAL-SITE

Remote Site 2

access-list INSIDE-NAT0 permit ip

nat (inside) 0 access-list INSIDE-NAT0

access-list CENTRAL-SITE permit ip

crypto map match address CENTRAL-SITE

You just have to make sure the above things are done

NAT0 configured for the traffic between local and remote network (Make a separate ACL for this like above)
The local and remote networks need to be defined in the "crypto map match address " configuration line. (Make a separate ACL for this like above. DONT USE the NAT0 ACL!)

Following this should already get you pretty far.

If you are testing with ICMP/PING then add "fixup protocol icmp" in every ASA to enable ICMP inspection.

- Jouni

aung.htwe · ‎04-15-2013

Hi,

ASA to ASA , site to site VPN is working over 3 weeks but yesterday we try to copy 2GB file from site A to Site B then

site to site vpn is automatically disconnected after 50 minutes.Already disable the vpn idle time also.

Please advise me , Thanks.

Ko Htwe

Jouni Forss · ‎04-16-2013

Hi,

Theres sometimes these kind of problems when the VPN configured lifetime values are too short. Especially when the lifetime is set to 1h.

Can you share the following command output from both endpoints of the L2L VPN (If they are both ASAs and under your control)

show run crypto

show crypto ipsec sa peer

Remove any public IP addresses before posting here.

- Jouni

aung.htwe · ‎04-16-2013

Hi Jouni,

IP x.x.x.35

ASA1>>>>>>>>>>>>>> IP x.x.x.51

IP x.x.x.34 >>>><<<<<<<<<

ASA2>>>>>>>>>>>>>> <<<<<<<<<<<

Below is the information that you need, thanks

ASA2# show run crypto

crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set peer x.x.x.194

crypto map outside_map 1 set transform-set AES-SHA

crypto map outside_map 2 match address outside_cryptomap_2

crypto map outside_map 2 set peer x.x.x.51

crypto map outside_map 2 set transform-set AES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

ASA2# show crypto ipsec sa peer x.x.x.51

peer address: x.x.x.51

Crypto map tag: outside_map, seq num: 2, local addr: x.x.x.34

access-list outside_cryptomap_2 permit ip 192.168.120.0 255.255.255.0 192. 168.100.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.120.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

current_peer: x.x.x.51

#pkts encaps: 9327, #pkts encrypt: 9327, #pkts digest: 9327

#pkts decaps: 10447, #pkts decrypt: 10447, #pkts verify: 10447

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 9327, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.34, remote crypto endpt.: x.x.x.51

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 4B845946

inbound esp sas:

spi: 0xEFD6B91F (4023826719)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 12288, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4372564/24842)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0xEFF7DDFF 0xFFFBFFFF

outbound esp sas:

spi: 0x4B845946 (1266964806)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 12288, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4373395/24841)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

ASA1# show run crypto

crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set peer x.x.x.51

crypto map outside_map 1 set transform-set AES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

ASA1# show crypto ipsec sa peer x.x.x.51

peer address: x.x.x.51

Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.35

access-list outside_cryptomap_1 permit ip 192.168.110.0 255.255.255.0 192.168.100.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

current_peer: x.x.x.51

#pkts encaps: 2095764, #pkts encrypt: 2095764, #pkts digest: 2095764

#pkts decaps: 1137433, #pkts decrypt: 1137433, #pkts verify: 1137433

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 2095764, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.35, remote crypto endpt.: x.x.x.51

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: C318E201

inbound esp sas:

spi: 0x80DF7DDA (2162130394)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 135, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4322832/24748)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0xC318E201 (3273187841)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 135, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (1495403/24747)

IV size: 16 bytes

replay detection support: Y

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

ASA3# sh run crypto

crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set peer x.x.x.194

crypto map outside_map 1 set transform-set AES-SHA

crypto map outside_map 1 set reverse-route

crypto map outside_map 2 match address outside_cryptomap_2

crypto map outside_map 2 set peer x.x.x.35

crypto map outside_map 2 set transform-set AES-SHA

crypto map outside_map 2 set reverse-route

crypto map outside_map 3 match address outside_cryptomap_3

crypto map outside_map 3 set peer x.x.x.34

crypto map outside_map 3 set transform-set AES-SHA

crypto map outside_map 3 set reverse-route

crypto map outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

ASA3# show crypto ipsec sa peer x.x.x.34

peer address: x.x.x.34

Crypto map tag: outside_map, seq num: 3, local addr: x.x.x.51

access-list outside_cryptomap_3 permit ip 192.168.100.0 255.255.255.0 192.168.120.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.120.0/255.255.255.0/0/0)

current_peer: x.x.x.34

#pkts encaps: 13547, #pkts encrypt: 13547, #pkts digest: 13547

#pkts decaps: 10967, #pkts decrypt: 10967, #pkts verify: 10967

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 13547, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.51, remote crypto endpt.: x.x.x.34

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: EFD6B91F

inbound esp sas:

spi: 0x4B845946 (1266964806)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 110592, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914308/24170)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xBFFFFFFF

outbound esp sas:

spi: 0xEFD6B91F (4023826719)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 110592, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3913179/24167)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

ASA3# show crypto ipsec sa peer x.x.x.35

peer address: x.x.x.35

Crypto map tag: outside_map, seq num: 2, local addr: x.x.x.51

access-list outside_cryptomap_2 permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/0/0)

current_peer: x.x.x.35

#pkts encaps: 1459726, #pkts encrypt: 1459726, #pkts digest: 1459726

#pkts decaps: 2468114, #pkts decrypt: 2468114, #pkts verify: 2468114

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 1459727, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.51, remote crypto endpt.: x.x.x.35

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 80DF7DDA

inbound esp sas:

spi: 0xC318E201 (3273187841)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 118784, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (521843/24103)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFEF 0xFFDFFFFF

outbound esp sas:

spi: 0x80DF7DDA (2162130394)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 118784, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3849471/24102)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Thanks,

Ko Htwe

Jouni Forss · ‎04-16-2013

Hi,

It would seem to me that you have 8h lifetime set in time and the 4,6Gb lifetime in data with the following commands

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

Have you checked your ASA logs why the connections are being teardown by the ASA?

What are you using to transfer the files? FTP or something else?

What are your connection timeouts? (show run timeout)

I wonder if the Data lifetime amount would be something that is causing this. I would have to refresh my own knowledge about the lifetime values to anything for certain. If you would change those you would be better of changing them in the "crypto map" configuration lines for the said connection ONLY on both endpoints.

But I would first try to look for logs messages of these connections that are being teardown after 50 minutes before I would make any bigger changes. SInce those changes would cause a brief downtime for the whole L2L VPN.

- Jouni