02-03-2010 12:30 PM
Hi,
I'm about to drop kick this ASA 5505. Basically what happens is upon install the 5505 connects to the 5520, establishes the tunnel and all is well. Within 10 or 15 minutes, everything drops, and the VPN tunnel refuses to come back up until I reload the 5505. It's ANNOYING. This ASA is in a building that has been closed and is only being used for security so each time this happens I'm standing in a freezing building cussing.
At the 5520, the messages are as follows:
Feb 3 15:28:24 asalicious.ips.k12.in.us Feb 03 15:28:42 EST: %ASA-vpn-6-713219: IP = 70.63.52.210, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 3 15:28:25 asalicious.ips.k12.in.us Feb 03 15:28:43 EST: %ASA-vpn-6-713219: IP = 70.63.52.210, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
plicate Phase 1 packet detected. Retransmitting last packet.
Feb 3 15:28:31 asalicious.ips.k12.in.us Feb 03 15:28:49 EST: %ASA-vpn-6-713905: IP = 70.63.52.210, P1 Retransmit msg dispatched to MM FSM
--- Also:
5 IKE Peer: 70.63.52.210
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
6 IKE Peer: 70.63.52.210
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
If anyone has any ideas that'd be grand. The darn thing works for litereally 20 minutes and all is peachy -- then DEATH!
Both running identical 8.2 code.
Thanks,
Tim
Solved! Go to Solution.
02-03-2010 03:16 PM
Hi Tim,
Sorry for the pain, VPN drops are caused by numerous things hence the request for the config as we need to isolate it, for instance, mismatch on configuration could be one of the reasons as the SAs might be negotiated with tunnels that are not quite defined for this particular tunnel. As well the drop might occur due to DPDs being lost on the path or because some IP renewal.
As for the config, I need to see the relevant Crypto ACLs on both sides, relevant NAT exempt rules and relevant Crypto definitions (in this part see if you can post all of the ones included)
Thanks
Ivan
02-03-2010 12:50 PM
Is there a way for you to get the "show run all" from both appliances? Can you also give some details about the connection type from the 5505?
02-03-2010 03:11 PM
Thank you for the reply.
I 5520 config is huge, is there anything in particular you want? I'll have to go out to the site tomorrow and grab the config off the remote ASA. I thought I might be able to get away with not having to post the config because it DOES WORK just once it goes down it never comes back.
The connection is 5505 -> Cable -> internet -> ISP -> 5520.
Thanks again!
Tim
02-03-2010 03:16 PM
Hi Tim,
Sorry for the pain, VPN drops are caused by numerous things hence the request for the config as we need to isolate it, for instance, mismatch on configuration could be one of the reasons as the SAs might be negotiated with tunnels that are not quite defined for this particular tunnel. As well the drop might occur due to DPDs being lost on the path or because some IP renewal.
As for the config, I need to see the relevant Crypto ACLs on both sides, relevant NAT exempt rules and relevant Crypto definitions (in this part see if you can post all of the ones included)
Thanks
Ivan
02-04-2010 04:43 AM
Okay! So I stopped by the site this morning. Here is the config and some output while the tunnel was up, 5505 over cable.
interface: outside
Crypto map tag: mymap, seq num: 10, local addr: 70.63.52.210
access-list encrypt permit ip 167.217.160.0 255.255.254.0 any
local ident (addr/mask/prot/port): (167.217.160.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 165.138.233.226
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 70.63.52.210, remote crypto endpt.: 165.138.233.226
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 667FC9E9
current inbound spi : DE9E4ED4
inbound esp sas:
spi: 0xDE9E4ED4 (3734916820)
transform: esp-aes-192 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3914999/28790)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0x667FC9E9 (1719650793)
transform: esp-aes-192 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3914999/28790)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa5505-sch64# show run
: Saved
:
ASA Version 8.2(1)11
!
hostname asa5505-sch64
domain-name ips.k12.in.us
enable password k6ba4ffBJucyFL7e encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 167.217.161.254 255.255.254.0
!
interface Vlan2
nameif outside
security-level 0
ip address 70.63.52.210 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ips.k12.in.us
access-list encrypt extended permit ip 167.217.160.0 255.255.254.0 any
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered informational
logging trap informational
logging asdm informational
logging host outside 167.217.2.60
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm6.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 70.63.52.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-192 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address encrypt
crypto map mymap 10 set peer 165.138.233.226
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 167.217.3.220
!
dhcpd address 167.217.160.1-167.217.160.2 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password /RrfNVdJ/j8owCEC encrypted privilege 15
tunnel-group 165.138.233.226 type ipsec-l2l
tunnel-group 165.138.233.226 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 10
!
!
prompt hostname context
Cryptochecksum:ff55da1930cd1f55c4f684901027791d
: end
asa5505-sch64# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 70.63.52.209 to network 0.0.0.0
C 70.63.52.208 255.255.255.248 is directly connected, outside
C 167.217.160.0 255.255.254.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 70.63.52.209, outside
asa5505-sch64#
_______________________________
The following is the relevant (I Think) Config portions from the ASA 5520 headend.
route outside 167.217.160.0 255.255.254.0 167.217.161.254 1
access-list outside_cryptomap_2 extended permit ip any 167.217.160.0 255.255.254.0
02-04-2010 11:53 AM
FIXED!
ipsec timing issue. Didn't have keepalives set on the headhead.
Thanks for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide