Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2385
Views
0
Helpful
18
Replies

2 of 4 ASA 5505's using 'ezvpn' rekey constantly?

BrianChernish
Level 1
Level 1

‎11-02-2011 02:34 PM

I recently changed out the ASA5510 at the head end of my WAN so I am not sure if this problem is related.

I have 30 or so 2800 series routers connected to the 5510 with ipsec tunnels and 4 asa 5505 units connecting with "ezvpn".  When I look at loggs coming out of the head end it seems 2 of the 4 5505's continuously re-key. It also looks like something does not like the "ipsec rekeying duration".

I have attached a chunk of the debug log.

Any assistance is greatly appreciated.

Brian

P.S. -- All 4 5505 ASAs are runing the same version of IOS and I have compared configs between the ones that are having issues and those which are not!

Head End and 5505 are running version 8.2

Labels:
116592-ASA-debug - filtered.txt.zip
0 Helpful
18 Replies 18

BrianChernish
Level 1
Level 1
In response to BrianChernish

‎11-03-2011 01:25 PM

Interesting...

From those debugs, I found the following:

"Duplicate remote proxy (192.168.1.11/255.255.255.255) detected. Replacing old tunnel. Old peer: 50.53.68.162:1024; New peer: 76.115.167.67:4500"

In this case we are talking about 2 ASAs installed in Executive Employees' homes and both are plugged into their existing home internet networks.Both are using DHCP on the inside interface.

I would say I have had the bad luck of each of those devices obtaining the same DHCP address - 192.168.1.11 (albeit from different networks) as their inside IP.  Ipsec accross the ASAs does not seem to be able to accomodate that!

Comments?

Brian

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to BrianChernish

‎11-03-2011 07:04 PM

Hi,

By any chance do these 2 ASAs have the same subnet on the inside? What about the others, do they have different subnets or all of them share the same one?

Mike

Mike
0 Helpful

BrianChernish
Level 1
Level 1

‎11-04-2011 08:35 AM

Mike,

I "mis-spoke" in my previous post.  Both of the ASA5505s have the same ip address on their OUTSIDE interface. These 2 ASAs are located in different locations and accordingly each has a unique inside network (192.168.61.xxx for one and 192.168.65.xxx on the other.

Each was configured to use DHCP to get their outside address using the command "ip address dhcp setroute".

Obviously this configuration is desireable, so that I can pre-configure an ASA5505 and send it home with a user so that they can simply plug it into any port on their existing home internet connection and then plug an IP Phone and computer into it, which now act exactly the same as their PC and Phone in the office.

I was able to get the two conflicting devices to stop rekeying every 3 seconds by supplying a static IP to one of the devices (I changed it from the DHCP address of 192.168.1.11 to 192.168.1.9).

Any insight on a better work around would be great as we have plans to ship many more ASA5505 to users' homes in the coming months.

Thanks for your attention to my problem.

Brian

0 Helpful

burnettg_98
Level 1
Level 1
In response to BrianChernish

‎08-02-2012 06:51 AM

Did you ever come up with a solution to this issues?  I was seeing the sames rekeying and sure enough, they have the same outside address.  Thanks

0 Helpful
Customers Also Viewed These Support Documents