09-09-2011 12:55 AM
Hello, I am experencing some problem with ASA to ASA site-to-site vpn connection. VPN lan to lan is up and working well, but when one of the vpn peers goes down the ASA doesn't recognize the dead peer and doesn't put down the vpn connection and the corresondind SA, and consequently ASA doesn't remove the injected remote lan route from its routing table.
Please, I should need an advice to how put down vpn when at least one peer is dead.
Thank you in advance.
Regards
angelo
09-09-2011 03:22 AM
Angelo,
Do you have isakmp keepalives enabled on both side?
Please also note that IOS and ASA default behavior for RRI is different ;-)
I.e. default on IOS is to inject the route only if tunnel is up (IPsec SAs up).
Marcin
09-09-2011 03:33 AM
Hi Marcin, thanks for your reply.
Yes I have enabled isakamp keepalive on both ASA and they are setted with same parameters (isakamp keepalive 10 2).
Moreover, in the crypto mat on ASA is enabled RRI, so when vpn is up remore lan routes are injectd in ASA routin table, but I expect that they should be put off when vpn go down. but the mostly problem is that ASA doesn't put vpn down also if remote peer is dead.
Do you have any idea?
09-09-2011 03:58 AM
Angelo,
debug crypto isakmp
it will telly you whether the DPDs are in fact being exachanged, I suspect they might not ;-)
Can you share with me:
- sho ver
- show run tunnel-group
- sh run crypto
- show vpn-sessiondb detail l2l
Make sure you obfuscate all the sensitive info (IP addresses/keys/passowords).
M.
09-09-2011 07:28 AM
I 'm looking at debug crypto and it seems that actually ASA doesn't send and receive DPD packet, it happends on both ASA. If it can help, first ASA regularly send and receive DPD packet with another vpn peer instead.
What does it depend on? Do you have any idea?
09-09-2011 09:20 AM
Angelo,
DPD type/version is something we negotiate in phase 1.
I think most implmentations send DPDs only if no traffic is received back (not that IOS has "periodic" setting which overrides it).
Marcin
09-13-2011 11:09 PM
Hi Marcin,
I did some tests last days, the situation now is that both ASA actually echanges DPD packets and when one peer goes down also vpn does, but the problem now is that when ASA put down vpn it doesn't also put off from routing table the remote vpn routes injected by RRI. It's imporatant for me to have those routes down for vpn-failove, cuase they are announced on internal eigrp istance.
Do you know if there is some way to make ASA put off RRI routes?
thank you very much in advance.
Regards angelo
09-14-2011 12:21 AM
Angelo,
I'm afraid that I don't have good news on RRI.
There's an enhancement request open forever to have same functionality on ASA and IOS:
Marcin
09-14-2011 12:37 AM
Thank you Marcin, I already supposed that, I heard some rumors about that issue.
I am thinking to try solving my problem with OSPF unicast over IPsec VPN tunnel between both ASA. Do you know if it works well?
09-14-2011 12:46 AM
Angelo,
Yes it works fair, in my experience doesn't really work well for more advanced scenarios but we got it workig between two and more ASAs.
Marcin
09-14-2011 12:49 AM
Ok Marcin,
I will try with it.
thanks a lot.
bye
angelo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: