Hello all,
I have noticed a problem recently that our Remote Access VPN will randomly stop working. I will be able to connect and enter my Username+Password and it says Connected, but I cannot ping Remote Resources. If I check VPN Client Statistics, it shows Many Packets Sent/Encrypted, but None Received. It seems this problem affects all devices at once, but leaves the L2L tunnels intact.
It seems to randomly start working for a while, and everything seems fine until it stops working again.
I verified that it is not a firewall problem, and it occurs on multiple ISPs and computers.
We also have 2 Static L2L Tunnels, and 1 Dynamic L2L Tunnel all of which operate flawlessly. All sites/remote users use split tunneling.
Below is the config, please let me know if something seems off! Fyi, I just added the keepalives on the RA Tunnel to see if it would help, I haven't noticed any difference yet.
ASA Version 8.0(2)
!
hostname HQ-ASA5505
domain-name xxxxx.local
enable password xxxxxx
names
name 192.168.9.50 trixbox
name 192.168.9.51 trixbox2 description virtual
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxx 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.9.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxx
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server xxxxxxx
name-server xxxxxxxx
domain-name xxxxx.local
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 101 extended permit icmp any any
access-list split standard permit 192.168.0.0 255.255.0.0
access-list to_static1 extended permit ip 192.168.0.0 255.255.0.0 192.168.14.0 255.255.255.0
access-list to_static2 extended permit ip 192.168.0.0 255.255.0.0 192.168.16.0 255.255.255.0
access-list RTP extended permit udp any any range 10000 20000
access-list RTP extended permit tcp any any range 10000 20000
pager lines 24
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RA-Pool 192.168.99.1-192.168.99.126 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address to_static1
crypto map outside_map 10 set peer xxxxx
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 11 match address to_static2
crypto map outside_map 11 set peer xxxxx
crypto map outside_map 11 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.9.101-192.168.9.199 inside
dhcpd dns 192.168.9.2 208.67.222.222 interface inside
dhcpd domain xxxxx.local interface inside
dhcpd option 66 ip trixbox interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect sip default_sip
parameters
max-forwards-validation action drop log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect rtsp
inspect sip default_sip
!
service-policy global_policy global
group-policy xxxxx internal
group-policy xxxxx attributes
dns-server value 192.168.9.2 208.67.222.222
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value xxxxx.local
nem enable
username user password xxxxxxxxxx encrypted privilege 0
username user attributes
vpn-group-policy xxxxx
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group xxxxx type remote-access
tunnel-group xxxxx general-attributes
address-pool RA-Pool
default-group-policy xxxxx
tunnel-group xxxxx ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group xxxxxxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxxxxxxx ipsec-attributes
pre-shared-key *
tunnel-group xxxxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxxxxxx ipsec-attributes
pre-shared-key *
prompt hostname context
Many thanks in advance!!
