03-23-2013 05:38 AM
Hi,
Already configured site to site vpn for two sites. Now I trying to configure remote access vpn to one site.
But I start config some command as below for remote access vpn, the existing site to site vpn auto disconnected.
no crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
Please help me to check.
Thanks,
Ko Htwe
Solved! Go to Solution.
03-23-2013 09:05 AM
hi,
you can only have one crypto map for an interface , so you need to configure both tunnels (site to site & remote access) in one crypto map with different sequesnce number. please make sure that the sequence number for the remote access is higher than it for the site to site.
also you can get this command back to the config , why did you remove it.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
if you still have a problem , please share the configuration.
Regards,
Mohammad
03-23-2013 10:53 AM
apply the below changes to have only one crypto map; then bot connections will work.
no crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
no crypto map outside_map interface Outside
crypto map IPSec_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map IPSec_map interface outside
Regards,
Mohammad
03-28-2013 01:20 AM
Hi,
The warning message
WARNING: The crypto map entry is incomplete!
Usually means one of the following
- Jouni
03-28-2013 03:10 AM
Hi,
Heres some suggestions for changes. Especially the changes on the Site1 configurations will affect your current Site1 and Site2 connection but only for a short time until the changes are done.
Site1
I suggest that you dont use the same ACL for both NAT0 and BOTH L2L VPN connections. Create own ACL for each purpose to avoid problems.
Create new NAT0 configuration for both the L2L VPN conenctions
access-list INSIDE-NAT0 permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list INSIDE-NAT0 permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
no nat (Inside) 0 access-list 101
nat (Inside) 0 access-list INSIDE-NAT0
Remove the Site1 -> Site2 ACL rule from the ACL 101 and create a new ACL for the Site 1 -> Site 3 L2L VPN
no access-list 101 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 102 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
no crypto map IPSec_map 20 match address 101
crypto map IPSec_map 20 match address 102
In the above "crypto map" configuration make sure that I got the right connections "match address" line.
Site 3
Create the missing NAT0 rule on the Site 3
access-list INSIDE-NAT0 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
- Jouni
03-28-2013 11:46 AM
Hi,
Are you sure these are the correct configurations.
In the reply and link before the attached configs tell the configurations are for Site 1 and Site 3
Now you attached configs for Site 2 and Site 3 and the Site 2 configurations is the same as Site 1 in the previous reply.
So the information is to say the least a bit confusing.
The configurations between your sites should be pretty simple to build. The original problem was that you were using the ACL named "101" in the NAT0 configurations and in BOTH L2L VPN configurations. This is something you shouldnt do. You should have own ACLs for every purpose to avoid problems
Provided you only want this
You will have to make sure what each site has the following configurations
Central Site
access-list INSIDE-NAT0 permit ip
access-list INSIDE-NAT0 permit ip
nat (inside) 0 access-list INSIDE-NAT0
access-list REMOTE-SITE-1 permit ip
crypto map
access-list REMOTE-SITE-2 permit ip
crypto map
Remote Site 1
access-list INSIDE-NAT0 permit ip
nat (inside) 0 access-list INSIDE-NAT0
access-list CENTRAL-SITE permit ip
crypto map
Remote Site 2
access-list INSIDE-NAT0 permit ip
nat (inside) 0 access-list INSIDE-NAT0
access-list CENTRAL-SITE permit ip
crypto map
You just have to make sure the above things are done
Following this should already get you pretty far.
If you are testing with ICMP/PING then add "fixup protocol icmp" in every ASA to enable ICMP inspection.
- Jouni
04-16-2013 01:57 AM
Hi,
It would seem to me that you have 8h lifetime set in time and the 4,6Gb lifetime in data with the following commands
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
Have you checked your ASA logs why the connections are being teardown by the ASA?
What are you using to transfer the files? FTP or something else?
What are your connection timeouts? (show run timeout)
I wonder if the Data lifetime amount would be something that is causing this. I would have to refresh my own knowledge about the lifetime values to anything for certain. If you would change those you would be better of changing them in the "crypto map" configuration lines for the said connection ONLY on both endpoints.
But I would first try to look for logs messages of these connections that are being teardown after 50 minutes before I would make any bigger changes. SInce those changes would cause a brief downtime for the whole L2L VPN.
- Jouni
04-19-2013 09:02 PM
Hi,
As you can see this output doesnt include or say anything about the network 192.168.50.0/24. Had you tested some traffic through the VPN Client before you took the output?
If you did it would seem to me that traffic is not getting forwarded from the VPN Client at HQ to the L2L VPN heading to the remote site.
It would probably be the easiest if you could share configurations of the HQ ASA and Remote Site ASAs so we could go through all the configurations and see what the problem might be.
- Jouni
04-20-2013 12:33 PM
Hi,
I would suggest the following changes to you configurations
HQ ASA
access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.110.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.120.0 255.255.255.0
group-policy vpngroup1 attributes
no split-tunnel-network-list value splittun-vpngrup1
split-tunnel-network-list value SPLIT-TUNNEL
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
ASA REMOTE 1
access-list outside_cryptomap_2 extended permit ip 192.168.120.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.120.0 255.255.255.0 192.168.50.0 255.255.255.0
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
ASA REMOTE 2
access-list outside_cryptomap_1 extended permit ip 192.168.110.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.110.0 255.255.255.0 192.168.50.0 255.255.255.0
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
ASA REMOTE 3
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
So basically you have configure most of the HQ ASA correctly though I suggest doing the above changes to the Split Tunnel Configuration and adding the ICMP Inspection configurations
All the REMOTE SITES basicly lack the same configurations. They dont have any L2L VPN ACL rule that tells that traffic from their own LAN to the VPN Pool of 192.168.50.0/24 should be forwarded to the L2L VPN connection towards the HQ SITE.
In the same way they are also lacking the proper NAT0 configurations for that same trafffic described above.
Adding these should handle the needed configurations to make it possible for users connecting through HQ ASA VPN Client connection to connect also to the REMOTE SITE LAN networks.
Remember to mark the reply as an correct answer if it did answer your question. And remember to rate all helpfull answers
Ask more if needed.
- Jouni
03-23-2013 09:05 AM
hi,
you can only have one crypto map for an interface , so you need to configure both tunnels (site to site & remote access) in one crypto map with different sequesnce number. please make sure that the sequence number for the remote access is higher than it for the site to site.
also you can get this command back to the config , why did you remove it.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
if you still have a problem , please share the configuration.
Regards,
Mohammad
03-23-2013 09:25 AM
Hi Mohammad,
Thanks your reply.
My site to site vpn config and remote access vpn as below; please check for me, thanks
>>>>>>>>>>>Site to Site VPN Configuration<<<<<<<<<<
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
tunnel-group 49.63.134.194 type ipsec-l2l
tunnel-group 49.63.134.194 ipsec-attributes
pre-shared-key Cisc0xVppN
crypto map IPSec_map 10 match address 101
crypto map IPSec_map 10 set peer 49.63.134.194
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
>>>>>>>>>>>>>Remote Access VPN Configuration<<<<<<<<<<<<<<
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
auteh pre-share
encryption 3des
hash sha
group2
lifetime 86400
crypto isakmp nat-traversal 20
ip local pool ippool 192.168.50.10-192.168.50.40 mask 255.255.255.0
group-policy vpngroup1 internal
group-policy vpngroup1 attributes
dns-server value 192.168.1.23 165.21.83.8
default-domain value Bravo.local
split-dns value Bravo.local
access-list splittun-vpngrup1 extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun-vpngroup
tunnel-group vpngroup1 type ipsec-ra
tunnel-group vpngroup1 general-attributes
address-pool ippool
default-group-policy vpngroup1
tunnel-group vpngroup1 ipsec-attributes
pre-shared-key Share@@K3i
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list nonat
username admin password P@ssw0rt#
Thanks,
Ko Htwe
03-23-2013 10:53 AM
apply the below changes to have only one crypto map; then bot connections will work.
no crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
no crypto map outside_map interface Outside
crypto map IPSec_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map IPSec_map interface outside
Regards,
Mohammad
03-24-2013 12:16 AM
Thanks Mohammad Abu Arja,
Now All are working fine.
Can you share me some refrence link for VPN and radius authentication with domain authentication.
Thanks
Ko Htwe
03-28-2013 01:15 AM
Hi,
Already created site to site vpn ( site 1 and site 2)
All are woking fine.
Now I want to create site to site vpn ( site 3 and site1)
I cannot access to remote site, when i configure , i got warning message as below; pls help me to check.
WARNING: The crypto map entry is incomplete!
Site 1 and site 3 config is attached pls check for me.
http://www.sendspace.com/file/p8duww
Thanks, Ko Htwe
03-28-2013 01:20 AM
Hi,
The warning message
WARNING: The crypto map entry is incomplete!
Usually means one of the following
- Jouni
03-28-2013 01:33 AM
Hi Jouni,
Already added but still cannot , pls check for me config.Need to change something
http://www.sendspace.com/file/5zh04p
Thanks,
Ko Htwe
03-28-2013 03:10 AM
Hi,
Heres some suggestions for changes. Especially the changes on the Site1 configurations will affect your current Site1 and Site2 connection but only for a short time until the changes are done.
Site1
I suggest that you dont use the same ACL for both NAT0 and BOTH L2L VPN connections. Create own ACL for each purpose to avoid problems.
Create new NAT0 configuration for both the L2L VPN conenctions
access-list INSIDE-NAT0 permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list INSIDE-NAT0 permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
no nat (Inside) 0 access-list 101
nat (Inside) 0 access-list INSIDE-NAT0
Remove the Site1 -> Site2 ACL rule from the ACL 101 and create a new ACL for the Site 1 -> Site 3 L2L VPN
no access-list 101 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 102 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
no crypto map IPSec_map 20 match address 101
crypto map IPSec_map 20 match address 102
In the above "crypto map" configuration make sure that I got the right connections "match address" line.
Site 3
Create the missing NAT0 rule on the Site 3
access-list INSIDE-NAT0 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
- Jouni
03-28-2013 11:23 AM
Hi Jouni,
Already did but cannot.
Now I clear the vpn configuration for site 2 and site 3.
then i reconfig the vpn for site 2 and 3 also cannot.
kindly check my config.
site 3 ip config as below
out interface
ip address 203.117.160.62
in side interface 192.168.0.1
internet configuration is here
"
global (outside) 101 203.116.69.33
nat (inside) 101 192.168.0.0 255.255.255.0
static (inside,outside) 203.116.69.32 192.168.0.2 netmask 255.255.255.255
access-group outside_in in interface outside
"
full config pls see in link http://www.sendspace.com/file/5mj9cw
kindly advise me for vpn config.
Thanks,
Ko Htwe
03-28-2013 11:46 AM
Hi,
Are you sure these are the correct configurations.
In the reply and link before the attached configs tell the configurations are for Site 1 and Site 3
Now you attached configs for Site 2 and Site 3 and the Site 2 configurations is the same as Site 1 in the previous reply.
So the information is to say the least a bit confusing.
The configurations between your sites should be pretty simple to build. The original problem was that you were using the ACL named "101" in the NAT0 configurations and in BOTH L2L VPN configurations. This is something you shouldnt do. You should have own ACLs for every purpose to avoid problems
Provided you only want this
You will have to make sure what each site has the following configurations
Central Site
access-list INSIDE-NAT0 permit ip
access-list INSIDE-NAT0 permit ip
nat (inside) 0 access-list INSIDE-NAT0
access-list REMOTE-SITE-1 permit ip
crypto map
access-list REMOTE-SITE-2 permit ip
crypto map
Remote Site 1
access-list INSIDE-NAT0 permit ip
nat (inside) 0 access-list INSIDE-NAT0
access-list CENTRAL-SITE permit ip
crypto map
Remote Site 2
access-list INSIDE-NAT0 permit ip
nat (inside) 0 access-list INSIDE-NAT0
access-list CENTRAL-SITE permit ip
crypto map
You just have to make sure the above things are done
Following this should already get you pretty far.
If you are testing with ICMP/PING then add "fixup protocol icmp" in every ASA to enable ICMP inspection.
- Jouni
04-15-2013 11:36 PM
Hi,
ASA to ASA , site to site VPN is working over 3 weeks but yesterday we try to copy 2GB file from site A to Site B then
site to site vpn is automatically disconnected after 50 minutes.Already disable the vpn idle time also.
Please advise me , Thanks.
Ko Htwe
04-16-2013 01:11 AM
Hi,
Theres sometimes these kind of problems when the VPN configured lifetime values are too short. Especially when the lifetime is set to 1h.
Can you share the following command output from both endpoints of the L2L VPN (If they are both ASAs and under your control)
show run crypto
show crypto ipsec sa peer
Remove any public IP addresses before posting here.
- Jouni
04-16-2013 01:39 AM
Hi Jouni,
IP x.x.x.35
ASA1>>>>>>>>>>>>>> IP x.x.x.51
IP x.x.x.34 >>>><<<<<<<<<
ASA2>>>>>>>>>>>>>> <<<<<<<<<<<
Below is the information that you need, thanks
ASA2# show run crypto
crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer x.x.x.194
crypto map outside_map 1 set transform-set AES-SHA
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer x.x.x.51
crypto map outside_map 2 set transform-set AES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
ASA2# show crypto ipsec sa peer x.x.x.51
peer address: x.x.x.51
Crypto map tag: outside_map, seq num: 2, local addr: x.x.x.34
access-list outside_cryptomap_2 permit ip 192.168.120.0 255.255.255.0 192. 168.100.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.120.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer: x.x.x.51
#pkts encaps: 9327, #pkts encrypt: 9327, #pkts digest: 9327
#pkts decaps: 10447, #pkts decrypt: 10447, #pkts verify: 10447
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9327, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.34, remote crypto endpt.: x.x.x.51
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 4B845946
inbound esp sas:
spi: 0xEFD6B91F (4023826719)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4372564/24842)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xEFF7DDFF 0xFFFBFFFF
outbound esp sas:
spi: 0x4B845946 (1266964806)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373395/24841)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
ASA1# show run crypto
crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer x.x.x.51
crypto map outside_map 1 set transform-set AES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
ASA1# show crypto ipsec sa peer x.x.x.51
peer address: x.x.x.51
Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.35
access-list outside_cryptomap_1 permit ip 192.168.110.0 255.255.255.0 192.168.100.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer: x.x.x.51
#pkts encaps: 2095764, #pkts encrypt: 2095764, #pkts digest: 2095764
#pkts decaps: 1137433, #pkts decrypt: 1137433, #pkts verify: 1137433
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2095764, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.35, remote crypto endpt.: x.x.x.51
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: C318E201
inbound esp sas:
spi: 0x80DF7DDA (2162130394)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 135, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4322832/24748)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xC318E201 (3273187841)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 135, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1495403/24747)
IV size: 16 bytes
replay detection support: Y
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
ASA3# sh run crypto
crypto ipsec transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer x.x.x.194
crypto map outside_map 1 set transform-set AES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer x.x.x.35
crypto map outside_map 2 set transform-set AES-SHA
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer x.x.x.34
crypto map outside_map 3 set transform-set AES-SHA
crypto map outside_map 3 set reverse-route
crypto map outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
ASA3# show crypto ipsec sa peer x.x.x.34
peer address: x.x.x.34
Crypto map tag: outside_map, seq num: 3, local addr: x.x.x.51
access-list outside_cryptomap_3 permit ip 192.168.100.0 255.255.255.0 192.168.120.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.120.0/255.255.255.0/0/0)
current_peer: x.x.x.34
#pkts encaps: 13547, #pkts encrypt: 13547, #pkts digest: 13547
#pkts decaps: 10967, #pkts decrypt: 10967, #pkts verify: 10967
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 13547, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.51, remote crypto endpt.: x.x.x.34
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: EFD6B91F
inbound esp sas:
spi: 0x4B845946 (1266964806)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 110592, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914308/24170)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xBFFFFFFF
outbound esp sas:
spi: 0xEFD6B91F (4023826719)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 110592, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3913179/24167)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA3# show crypto ipsec sa peer x.x.x.35
peer address: x.x.x.35
Crypto map tag: outside_map, seq num: 2, local addr: x.x.x.51
access-list outside_cryptomap_2 permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/0/0)
current_peer: x.x.x.35
#pkts encaps: 1459726, #pkts encrypt: 1459726, #pkts digest: 1459726
#pkts decaps: 2468114, #pkts decrypt: 2468114, #pkts verify: 2468114
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1459727, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.51, remote crypto endpt.: x.x.x.35
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 80DF7DDA
inbound esp sas:
spi: 0xC318E201 (3273187841)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 118784, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (521843/24103)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFEF 0xFFDFFFFF
outbound esp sas:
spi: 0x80DF7DDA (2162130394)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 118784, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3849471/24102)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Thanks,
Ko Htwe
04-16-2013 01:57 AM
Hi,
It would seem to me that you have 8h lifetime set in time and the 4,6Gb lifetime in data with the following commands
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
Have you checked your ASA logs why the connections are being teardown by the ASA?
What are you using to transfer the files? FTP or something else?
What are your connection timeouts? (show run timeout)
I wonder if the Data lifetime amount would be something that is causing this. I would have to refresh my own knowledge about the lifetime values to anything for certain. If you would change those you would be better of changing them in the "crypto map" configuration lines for the said connection ONLY on both endpoints.
But I would first try to look for logs messages of these connections that are being teardown after 50 minutes before I would make any bigger changes. SInce those changes would cause a brief downtime for the whole L2L VPN.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide