Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1867
Views
0
Helpful
0
Replies

IPSec VPN disconnects intermittently

jon.mcknight
Level 1
Level 1

‎05-07-2011 11:56 AM - edited ‎02-21-2020 05:19 PM

I keep having a problem with my IPsec VPN, it will drop out at random times.  Sometimes it will stay connected for 20 minutes then disconnect and other times it will stay connected for 3 hours then drop out.

I think it has something to do with the SA expiring.

Also, I seem to remember seeing something about ISAKMP running out of keys. 

I am kind of at an impasse.  I am attaching my config below. 

Any ideas would be welcome.

Thanks

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

names

name 192.168.1.96 highVPN

name 192.168.1.8 LowInside7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit intra-interface

object-group service Slingbox tcp-udp

description Slingbox

port-object range 5001 5004

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object esp

protocol-object ah

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object esp

protocol-object ah

object-group service NAT-T tcp-udp

description NAT-T

port-object eq 4500

object-group service DM_INLINE_UDP_1 udp

group-object NAT-T

port-object eq isakmp

access-list NAT0OUT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NAT0OUT extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit icmp any any echo-reply

access-list inside_access_in extended permit icmp any any source-quench

access-list inside_access_in extended permit icmp any any time-exceeded

access-list inside_access_in extended permit icmp any any unreachable

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in remark Allowing all protocol 50/esp and 51/ah

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any LowInside7 255.255.255.248 inactive

access-list outside_access_in remark Allowing all protocol 51/ah and 50/esp

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any

access-list outside_access_in remark Allowing udp port 500 and udp/tcp port 4500

access-list outside_access_in extended permit udp any any object-group DM_INLINE_UDP_1

access-list NAT0IN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NAT0IN extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

logging flash-bufferwrap

mtu inside 1500

mtu outside 1500

ip local pool VPNDot1 192.168.1.30-192.168.1.50

ip local pool VPN-Addys 192.168.2.1-192.168.2.254 mask 255.255.255.0

ip local pool VPN1-Addys highVPN-192.168.1.110 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NAT0IN

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list NAT0OUT

nat (outside) 1 192.168.2.0 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 2147482800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 2000000000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint LOCAL-CA-SERVER

keypair LOCAL-CA-SERVER

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn j.null

email

subject-name CN=jojo.null

proxy-ldc-issuer

crl configure

crypto ca server

keysize 2048

keysize server 2048

issuer-name CN = jojo.null

smtp from-address admin@ciscoasa.null

crypto ca certificate chain LOCAL-CA-SERVER

certificate ca 01

    30820308 308201f0 a0030201 02020101 300d0609 2a864886 f70d0101 04050030

    15311330 11060355 0403130a 206a6f6a 6f2e6e75 6c6c301e 170d3131 30353036

    32333239 35395a17 0d313430 35303532 33323935 395a3015 31133011 06035504

    03130a20 6a6f6a6f 2e6e756c 6c308201 22300d06 092a8648 86f70d01 01010500

    0382010f 00308201 0a028201 0100d720 9d55724b ab480209 a5344454 3f619fee

    3491d5ab ec4e6bc9 d5091f66 b8376085 02d40743 bd5cb047 a6b5dfc3 744386f3

    cd1d7ca1 bf8660d0 9519b491 9e524c70 3e5ab9bf 59f7190a afaa8ea0 41992a30

    ef93703c 4304a1a8 37683b0e 53f6ef4a b04fef26 1e6b0563 7276a282 67f8ff66

    7654fd82 be628a75 b61153a3 8357630a f1fce208 3f19fbde 58008381 2159d2e5

    fa96bfc5 ebf0d597 29e81a22 60f5ab2c 78cbf6af 2d91a752 efc493ef 872949e8

    082b27a9 43c28b0f 2cec98e0 3574903d 11b6367f 39ee4f14 788ae013 cbc54a9c

    5920a0a3 06180f94 ce5701ae 04867d56 43b760c8 02094441 6b8fed00 1767adfe

    52e7c509 94814148 9459a0dd 6e870203 010001a3 63306130 0f060355 1d130101

    ff040530 030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304

    18301680 1465526f b6718dcc b384abe2 f57a157c 362d31eb fa301d06 03551d0e

    04160414 65526fb6 718dccb3 84abe2f5 7a157c36 2d31ebfa 300d0609 2a864886

    f70d0101 04050003 82010100 482fd0bd a57e7ae3 6651b890 288f648f a2211cba

    4cb1c3e3 b3ee3d40 7d95fb58 40408712 a21d5338 020329df 46792f78 30bdf7e0

    5332ea73 67dbf163 58620147 e23b1eb8 d969ebf5 51898e9c b6a08f8e f7db981a

    42ba783b 2ca219e3 8a51ce16 e03adffa 8b9830b6 47105412 6f0381ff 12776967

    733097c3 71b9073f bd762298 6ffc67ae 5c120030 c65b8d01 250c53a9 bfc565cb

    df0e8df0 65f78932 4c184e98 621d0aca f30e2c1e 11e590ab 568d8a10 8b3f09f6

    effc6110 98d6605a dcdf3913 01495cbc a5b5aee9 0b886fdb 6d122224 265f0414

    06e74e40 081120f6 b52c95ee 0c37cd10 bf930af5 d1621ca6 8cf9492f 41a60a92

    1396609f f345e5d2 9d5e84e7

  quit

crypto ca certificate chain ASDM_TrustPoint0

certificate 3985c44d

    30820238 308201a1 a0030201 02020439 85c44d30 0d06092a 864886f7 0d010104

    0500302e 31123010 06035504 0313096a 6f6a6f2e 6e756c6c 31183016 06092a86

    4886f70d 01090216 096a6f6a 6f2e6e75 6c6c301e 170d3131 30353036 32333333

    31335a17 0d323130 35303332 33333331 335a302e 31123010 06035504 0313096a

    6f6a6f2e 6e756c6c 31183016 06092a86 4886f70d 01090216 096a6f6a 6f2e6e75

    6c6c3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c9

    9f90115f 101053ee 2365d190 5c82153e 17cbde48 d4c1e28e 92f469a6 4cd722d7

    19c3fdab cea223ed 6284735d ebabd998 78289e4d 163a0068 ecf6095d 16a82364

    65e0eb7f bb65f5a1 93c3cf8d 3b236068 88d955fc 4d5c9e74 3bf4cc45 4aa6782b

    f6c5bd9e cd05a655 8aa03177 be239b47 c49c8923 3df51b86 ca569ef0 473c4d02

    03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f

    0101ff04 04030201 86301f06 03551d23 04183016 8014d559 7228f5a3 48738889

    532dd9d6 9b23b853 4828301d 0603551d 0e041604 14d55972 28f5a348 73888953

    2dd9d69b 23b85348 28300d06 092a8648 86f70d01 01040500 03818100 62de42b5

    aa6e132c cc60ec2c d878c5a1 02eccd4c bba88dd7 38fdab7f 2fe86ca4 7d9dbccf

    727740a0 00425665 46e561cb d4c434d0 f5de3c6b cecac0a9 903e08bd d731e641

    802f47ff 3d40edef d6865205 d26a5ecd 0ce8eccb 72fdfa41 a2016360 7b70249b

    c82d9f7c 3e0847c9 88ad251a 256ccff4 b25f2453 e5eac57f 2aeba0ee

  quit

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime none

crypto isakmp nat-traversal 3600

crypto isakmp disconnect-notify

telnet timeout 5

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.20 inside

dhcpd dns 208.67.220.220 208.67.222.222 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 17.151.16.23 source inside prefer

webvpn

enable outside

svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec

password-storage enable

pfs enable

ipsec-udp enable

group-policy USDot1 internal

group-policy USDot1 attributes

dns-server value 208.67.220.220 208.67.222.222

vpn-tunnel-protocol IPSec

password-storage enable

group-lock value USDot1

pfs enable

ipsec-udp enable

address-pools value VPNDot1

group-policy US-Based-IP internal

group-policy US-Based-IP attributes

dns-server value 208.67.222.222 208.67.220.220

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol IPSec

password-storage enable

re-xauth disable

group-policy US1 internal

group-policy US1 attributes

dns-server value 208.67.222.222 208.67.220.220

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol IPSec

pfs enable

ipsec-udp enable

group-policy USA internal

group-policy USA attributes

dns-server value 208.67.222.222 208.67.220.220

vpn-idle-timeout none

vpn-session-timeout none

password-storage enable

re-xauth enable

username testcount password encrypted

username testcount attributes

vpn-group-policy USA

vpn-idle-timeout none

vpn-session-timeout none

password-storage enable

group-lock value USA

username testman password encrypted

username testman attributes

vpn-group-policy USA

group-lock value USA

username j password encrypted

username j attributes

vpn-group-policy US-Based-IP

vpn-tunnel-protocol IPSec

password-storage enable

group-lock value US-Based-IP

tunnel-group US-Based-IP type remote-access

tunnel-group US-Based-IP general-attributes

address-pool VPN-Addys

default-group-policy US-Based-IP

tunnel-group US-Based-IP ipsec-attributes

pre-shared-key *

isakmp keepalive disable

tunnel-group US1 type remote-access

tunnel-group US1 general-attributes

address-pool VPN1-Addys

default-group-policy US1

tunnel-group US1 ipsec-attributes

pre-shared-key *

tunnel-group USDot1 type remote-access

tunnel-group USDot1 general-attributes

address-pool VPNDot1

tunnel-group USDot1 ipsec-attributes

pre-shared-key *

tunnel-group USA type remote-access

tunnel-group USA general-attributes

address-pool VPN-Addys

default-group-policy USA

tunnel-group USA ipsec-attributes

pre-shared-key *

trust-point ASDM_TrustPoint0

isakmp keepalive disable

!

!

prompt hostname context

Cryptochecksum:a421dcbd2de372219b9490291445b6eb

: end

asdm location highVPN 255.255.255.240 inside

asdm history enable

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents