Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
4
Helpful
2
Replies

IPSec Tunnel Drop for 15 Minutes

Chuan Liu
Level 1
Level 1

‎05-07-2009 02:58 PM - edited ‎02-21-2020 04:13 PM

Hi NetPro,

My l2l VPN tunnel between ASA and IOS drops randomly about every 23 hours. It takes upto 15 minutes for the tunnel to be reestablished. 'Debug Cryp isakmp' on the 1841 router shows the negotiation is taking place all the time during this 15 minutes. Can you please explain the logs?

IOS is configured as below. DMVPN hub is also configured on this router.

----

crypto keyring Global

pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxxxxxxxxxxxxxxxxx

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxxxxxxxxxxxx address A.A.A.A

crypto isakmp keepalive 600

crypto isakmp nat keepalive 10

crypto isakmp profile DMVPN

keyring Global

match identity address 0.0.0.0

crypto isakmp profile l2l

keyring Global

match identity address A.A.A.A 255.255.255.255

keepalive 600 retry 10

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set ppx_vpn esp-3des esp-md5-hmac

crypto ipsec transform-set dmvpn-tran esp-3des esp-sha-hmac

crypto ipsec df-bit clear

crypto ipsec nat-transparency spi-matching

!

crypto ipsec profile vpnprof

set security-association lifetime seconds 3600

set transform-set dmvpn-tran

set isakmp-profile DMVPN

!

!

crypto map spicers_vpn 10 ipsec-isakmp

set peer A.A.A.A

set security-association idle-time 86400

set transform-set ppx_vpn

set isakmp-profile l2l

match address VPNTunnel

---------------------------

Thanks in advance.

Larry

Labels:
Preview file
34 KB
0 Helpful
2 Replies 2

a-vazquez
Level 6
Level 6

‎05-14-2009 06:14 AM

When VPN Client drops connection frequently you may receive the following error:

"Attempted to assign network or broadcast IP address, removing (x.x.x.x) from pool" or "VPN client drops connection frequently on first attempt" or "Security VPN Connection terminated by tier. Reason 433."

The problem might be with the IP pool assignment either through ASA/PIX or Radius server. Use the debug crypto command in order to verify that the netmask and IP addresses are correct. Also, verify that the pool does not include the network address and the broadcast address. Radius servers must be able to assign the proper IP addresses to the clients.

Chuan Liu
Level 1
Level 1
In response to a-vazquez

‎05-14-2009 01:19 PM

Hi,

Thanks for your response. This is a site2site tunnel.

The problem was solved by having a separate keyring for each ISAKMP profile.

Cheers.

0 Helpful
Customers Also Viewed These Support Documents