cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
1319
Views
0
Helpful
0
Replies
Highlighted

Site to Site VPN issue between ASA 5515 and Mcafee (Sidewinders) Firewall.

We have a site to site VPN with our business partner. Site A is 5515 and site B is mcafee (sidewinders ) firewall.

Randomly the VPN will drop and application will stop working. All applications are running from Site A (where 5515 is residing)

Sometimes the application fails even  though the VPN is up. What is odd is if I reset the VPN on ASA and mcafee side the application will start working after restarting the application.

Also the performance of the application is not good. I tried adjusting the sysopt mss but it did not help.

I am not sure what is wrong with this configuration.

I was wondering if u guys have any advice?

NOTE: The application is TCP based and does a lot of writes on the other side of the VPN (Site B) to the oracle database server.

I was also wondering what is the purpose of timeout tcp-proxy-reassembly 0:01:00

Here is the ASA config.

ASA Version 8.6(1)

!

hostname as-ciscoasa-5515

domain-name xxxsystems.com

enable password IwcadQrUfCKovNfC encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

description Outside Interface of new firewall

nameif outside

security-level 0

ip address xx.13.8.50 255.255.255.248

!

interface GigabitEthernet0/1

description inside interface of new firewall

nameif inside

security-level 100

ip address 192.168.207.254 255.255.255.0

!

interface GigabitEthernet0/2

description DMZ interface for Web & Ftp server

nameif dmz

security-level 50

ip address 10.168.1.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Out of Band Management Interface

nameif management

security-level 90

ip address 192.168.1.1 255.255.255.0

management-only

!

!

time-range 24x7

!

banner login *********************************************************

banner login  THIS SYSTEM IS FOR xxxx SYSTEMS INC. USE ONLY !!!!!

banner login  Unauthorized access to and/or use of this computer system    

banner login  is violation of law and is punishable under provisions of            

banner login  applicable statutes.  Use of this system constitutes consent    

banner login to security testing and monitoring.                                             

banner login *********************************************************

banner asdm *********************************************************

banner asdm  THIS SYSTEM IS FOR xxxx SYSTEMS INC. USE ONLY !!!!!

banner asdm  Unauthorized access to and/or use of this computer system    

banner asdm  is violation of law and is punishable under provisions of            

banner asdm  applicable statutes.  Use of this system constitutes consent    

banner asdm to security testing and monitoring.                                             

banner asdm *********************************************************

boot system disk0:/asa861-smp-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 68.115.71.53

name-server 24.196.64.53

domain-name xxxxystems.com

object network dotsubnet218

subnet 10.147.218.0 255.255.254.0

object network dotsubnet4

subnet 10.147.4.0 255.255.255.0

object network dotsubnet50

subnet 10.147.50.0 255.255.254.0

object network dotsubnet7

subnet 10.147.7.0 255.255.255.0

object network dotsubnet90

subnet 10.147.90.0 255.255.254.0

object network inside-network

subnet 192.168.207.0 255.255.255.0

description inside network

object network inside-out

subnet 192.168.207.0 255.255.255.0

object network oraop01

host 10.147.90.56

object service www

service tcp source eq www destination eq www

object network www1

host 192.168.207.235

object network 5515

host 192.168.207.35

object network webserver

host 71.13.8.51

description Web Server IP Address (Inside)

object network new-www

host 192.168.207.235

object-group network DM_INLINE_NETWORK_1

network-object object dotsubnet7

network-object object dotsubnet90

network-object object dotsubnet4

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group network DM_INLINE_NETWORK_2

network-object object dotsubnet4

network-object object dotsubnet7

network-object object dotsubnet90

network-object object oraop01

object-group network DM_INLINE_NETWORK_3

network-object object dotsubnet4

network-object object dotsubnet7

network-object object dotsubnet90

network-object object oraop01

access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 object inside-network object-group DM_INLINE_NETWORK_3

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list global_access extended permit icmp any any

access-list global_access extended permit icmp any object new-www

access-list global_access extended permit tcp any object new-www eq www

access-list xxxxxx-Systems-Subnet remark Allow Access to xxxxxxSystems Network

access-list xxxxxx-Systems-Subnet standard permit 192.168.207.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1400

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool VPN-DHCP-Pool 192.168.206.10-192.168.206.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit 10.147.0.0 255.255.0.0 outside

icmp permit any outside

icmp permit any inside

icmp permit any dmz

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static inside-network inside-network destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup

!

object network inside-out

nat (any,outside) static interface

object network new-www

nat (inside,outside) static 71.13.8.51

access-group inside_access_in in interface inside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 71.13.8.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http server idle-timeout 60

http 192.168.1.0 255.255.255.0 management

http 192.168.207.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt connection tcpmss 1100

sysopt connection preserve-vpn-flows

sysopt noproxyarp outside

sysopt noproxyarp inside

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec df-bit clear-df outside

crypto ipsec df-bit clear-df inside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer x.x.134.2

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5

crypto map outside_map 1 set security-association lifetime seconds 43200

crypto map outside_map 1 set nat-t-disable

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime none

telnet timeout 5

ssh 192.168.207.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 60

console timeout 0

dhcpd address 192.168.207.21-192.168.207.234 inside

dhcpd dns 68.115.71.53 interface inside

dhcpd ping_timeout 750 interface inside

dhcpd domain xxxxxxsystems.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-md5

webvpn

csd image disk0:/csd_3.5.2008-k9.pkg

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 3

group-policy GroupPolicy_x.x.134.2 internal

group-policy GroupPolicy_x.x.134.2 attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol ikev1

group-policy RemoteAccessVPN-xxxxxxSystems-Inc-Group-Policy internal

group-policy RemoteAccessVPN-xxxxxxSystems-Inc-Group-Policy attributes

banner value *********************************************************

banner value THIS SYSTEM IS FOR xxxxxx SYSTEMS INC. USE ONLY !!!!!

banner value Unauthorized access to and/or use of this computer system

banner value is violation of law and is punishable under provisions of

banner value applicable statutes.  Use of this system constitutes consent

banner value to security testing and monitoring.

banner value *********************************************************

dns-server value 192.168.207.235

vpn-access-hours value 24x7

vpn-simultaneous-logins 3

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter value xxxxxx-Systems-Subnet

vpn-tunnel-protocol ikev1

password-storage enable

ip-comp enable

re-xauth enable

group-lock value RemoteAccessVPN-xxxxxxSystems-Inc

pfs enable

ipsec-udp enable

split-tunnel-policy tunnelall

default-domain value xxxxxxsystems.com

username milind password ASZJyNjPKDhBt550 encrypted

username milind attributes

vpn-group-policy RemoteAccessVPN-xxxxxxSystems-Inc-Group-Policy

group-lock value RemoteAccessVPN-xxxxxxSystems-Inc

username admin password xybduiDZ39uOf5jx encrypted privilege 15

username garyl password iS0J9AX.XdOV.UtO encrypted

username garyl attributes

vpn-group-policy RemoteAccessVPN-xxxxxxSystems-Inc-Group-Policy

group-lock value RemoteAccessVPN-xxxxxxSystems-Inc

username dshah password QFCzXoiTw/uLllIy encrypted privilege 15

tunnel-group x.x.134.2 type ipsec-l2l

tunnel-group x.x.134.2 general-attributes

default-group-policy GroupPolicy_x.x.134.2

tunnel-group x.x.134.2 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group RemoteAccessVPN-xxxxxxSystems-Inc type remote-access

tunnel-group RemoteAccessVPN-xxxxxxSystems-Inc general-attributes

address-pool VPN-DHCP-Pool

default-group-policy RemoteAccessVPN-xxxxxxSystems-Inc-Group-Policy

tunnel-group RemoteAccessVPN-xxxxxxSystems-Inc ipsec-attributes

ikev1 pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 13

  subscribe-to-alert-group configuration periodic monthly 13

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:a73c56c195e2d9215cddece3066cd891

: end

Everyone's tags (5)