06-26-2007 07:35 AM
Hi all,
Were using a s2s vpn between two offices, using a 876 DSL router and an ASA firewall.
The VPN drops about 15 times a day, while Internet is still going strong.
We updates to IOS on the 876 to:
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4)
It had a much older version.
Im wondering if using two ASA's would be better than using a router and an ASA to establish a s2s vpn.
Im looking for some input from the experts...
Best regards
06-27-2007 01:23 AM
Hi,
You can choose any products as you like(Router,Pix,ASA,vpn concentrator). All will do fine as per the design and based on your network setup.
The question here is, why vpn drops about 15 times a day? since you have not posted the config details, I would suggest you to increase the value of 'isakmp keep alive' parameter.
06-27-2007 04:53 AM
Hello Michael,
Whatever it is, as mentioned in the previous by Jaffer, the tunnel should not get dropped.
I would like to see the output of the following from the ASA
sh vpn-sessiondb l2l
And "sh cry ipsec sa" from the router and the ASA after the tunnel gets established.
We can go from there, after that.
Thanks
Gilbert
06-27-2007 06:07 AM
Hi,
@jaffer.
I changed:
---
crypto isakmp policy 10
lifetime 28800
---
to
---
crypto isakmp policy 10
lifetime 86400
---
Funny thing is when I do a sh run, the lifetime is not shown anymore.
So I dont know if it is using the new value.
@gilbert
Doing a sh vpn-sessiondb l2l results in the following:
Session Type: LAN-to-LAN
Connection : xx.127.123.153
Index : 2 IP Addr : xx.127.123.153
Protocol : IPSecLAN2LAN Encryption : 3DES
Hashing : SHA1
Bytes Tx : 94933 Bytes Rx : 54618
Login Time : 05:23:16 UTC Wed Jun 27 2007
Duration : 0h:21m:51s
Filter Name :
I included the other results in the attachments
Best regards and thank you both for taking the time to respond.
06-27-2007 07:03 AM
sh cry isa policy - on a router will tell you the DEfault policy and the configured policies along with their lifetimes. :)
If it is default, you would not see that on the configuration.
According the output you sent, the VPN has been up for alomost 21 minutes now and there is a lifetime left for about 30 minutes on the keys.
"debug cry isa 190" "deb cry ipsec 190" from the ASA - "deb cry isa" & "deb cry ipsec" - These two debugs when turned on will tell you when the tunnel is renegotiating or even when the drop happens it will tell you what happens at the time.
Those are lots of debugs, so if you have a syslog server, please send the debugs to the syslog server. And look at the debugs to see when it fails and is there any messages that reveals the failure.
Thanks
Gilbert
06-27-2007 07:04 AM
Also, can you copy and paste the output of
sh run all group-policy
Thanks
Gilbert
06-27-2007 07:36 AM
Gilbert,
"sh cry isa policy"
Shows the new timeout perectly, good tip, thx.
So next for me to do is:
On ASA:
"debug cry isa 190"
"deb cry ipsec 190"
On RTR:
"deb cry isa"
"deb cry ipsec"
And have them both log the messsage to a syslog server right?
I'll set one up in the meantime.
Best regards
06-27-2007 10:47 AM
So in the group policy, you have an idle timeout of 30 "vpn-idle-timeout 30" - See, if you can change it to something else and if the problem goes away.
Thanks
Gilbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide