05-07-2009 02:58 PM - edited 02-21-2020 04:13 PM
Hi NetPro,
My l2l VPN tunnel between ASA and IOS drops randomly about every 23 hours. It takes upto 15 minutes for the tunnel to be reestablished. 'Debug Cryp isakmp' on the 1841 router shows the negotiation is taking place all the time during this 15 minutes. Can you please explain the logs?
IOS is configured as below. DMVPN hub is also configured on this router.
----
crypto keyring Global
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxxxxxxxxxxxxxxxxx
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxxxx address A.A.A.A
crypto isakmp keepalive 600
crypto isakmp nat keepalive 10
crypto isakmp profile DMVPN
keyring Global
match identity address 0.0.0.0
crypto isakmp profile l2l
keyring Global
match identity address A.A.A.A 255.255.255.255
keepalive 600 retry 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ppx_vpn esp-3des esp-md5-hmac
crypto ipsec transform-set dmvpn-tran esp-3des esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec nat-transparency spi-matching
!
crypto ipsec profile vpnprof
set security-association lifetime seconds 3600
set transform-set dmvpn-tran
set isakmp-profile DMVPN
!
!
crypto map spicers_vpn 10 ipsec-isakmp
set peer A.A.A.A
set security-association idle-time 86400
set transform-set ppx_vpn
set isakmp-profile l2l
match address VPNTunnel
---------------------------
Thanks in advance.
Larry
05-14-2009 06:14 AM
When VPN Client drops connection frequently you may receive the following error:
"Attempted to assign network or broadcast IP address, removing (x.x.x.x) from pool" or "VPN client drops connection frequently on first attempt" or "Security VPN Connection terminated by tier. Reason 433."
The problem might be with the IP pool assignment either through ASA/PIX or Radius server. Use the debug crypto command in order to verify that the netmask and IP addresses are correct. Also, verify that the pool does not include the network address and the broadcast address. Radius servers must be able to assign the proper IP addresses to the clients.
05-14-2009 01:19 PM
Hi,
Thanks for your response. This is a site2site tunnel.
The problem was solved by having a separate keyring for each ISAKMP profile.
Cheers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide