Re: Asa as VPN concetrator and Avaya Hardphones with VPN RAS

KAI FALKENBERG · ‎06-22-2010

Hello,

The issue is as follows;

Roughly the following happens

1. Steady situation, 4 phone connected, all having an IP assigned from the local IP pool

2. A phone (lets say #1) gets disconnected (reason is not that important), with local IP pool IP#1

3. IP#1 now goes to phone #2

4. – here it gets a little unclear whether IP#2 also starts to “travel around”, or this ‘traveling’ only happens for IP#1 –

5. After while phone #1 comes back but IP#1 still ‘travels’ around

6. After a period of instability everything returns to a steady state and at least one of the previously assigned IP’s is released and the phone gets another IP from the pool

During the instability the VoIP server actually sees the IP’s being swapped but for an unknown reason (whether that is caused by the ‘speed’ of change or something else) one IP form the local pool (from a VoIP server perspective) is bound to multiple phone numbers, causing no call can be made or calls in progress get disrupted.

The issue can easily be re-produced by disconnection one phone (regardless which one)

Have you seen such behavior before? I wonder if this is a bug in Asa version or that it might have to do with the fact that one UserID/PWD is used for multiple connections. Any thoughts?

Marcin Latosiewicz · ‎06-22-2010

Since this is local IP address assignment... do you use reuse?

Do the phones remember the IP address they had prior to disconnect? Do they request new address in mode config and is the address send by the ASA and applied?

Can you try what would happen with assignment from either AAA or DHCP? Same or different behavior?

KAI FALKENBERG · ‎06-23-2010

Since this is local IP address assignment... do you use reuse?

I haven’t seen that option.

Do the phones remember the IP address they had prior to disconnect? Do they request new address in mode config and is the address send by the ASA and applied?

I don’t understand the nature of this question. What has this to do with the fact that if VPN#1 with local pool IP#1 disconnects (for whatever reason), IP#1 starts to move around over the remaining VPN tunnels that already have another local pool IP-address assigned in the first place.

Can you try what would happen with assignment from either AAA or DHCP? Same or different behavior?

This is something that needs to checked, but will require some effort. AAA can be ‘simulated’ I think, by using multiple UID’s (versus the one currently in place).

Can you please verify that the single username and password do not cause this issue?

Marcin Latosiewicz · ‎06-23-2010

Kai,

Please elaborate on what you mean by traveling and "moving around".

I think problem is we're trying to use two different vocabularies to describe the problem.

Esentially a HW vpn client should request an IP address in mode config of IPsec.

IPAA coponent tries to allocate that IP address for client and returns it ideally to IPsec.

IPsec then allocates a proxy ID of: IP_ADDRESS_RECEIVED to "ANY" (by default, not counting split tunneling etc).

Once all IPsec sessions torn down (isakmp keepalives should take care of it) we should also eventually return the IP address back to pool.

KAI FALKENBERG · ‎06-24-2010

Ok, this is what I mean with ‘traveling / moving around’

Time X, steady situation

VPN #1 – Local IP pool assignment=IP #1

VPN #2 – Local IP pool assignment=IP #2

VPN #3 – Local IP pool assignment=IP #3

VPN #4 – Local IP pool assignment=IP #4

Now VPN #1 gets disconnected, and what happens is this:

VPN #2 – Local IP pool assignment=IP #1

VPN #3 – Local IP pool assignment=IP #3

VPN #4 – Local IP pool assignment=IP #4

A very short moment later

VPN #2 – Local IP pool assignment=IP #2

VPN #3 – Local IP pool assignment=IP #1

VPN #4 – Local IP pool assignment=IP #4

Yet another short moment later

VPN #2 – Local IP pool assignment=IP #2

VPN #3 – Local IP pool assignment=IP #3

VPN #4 – Local IP pool assignment=IP #1

(if VPN#1 doesn’t reconnect it goes steady again after some period of time, I can’t tell approx how long that takes)

When VPN#1 reconnects within 2 to 3 minutes the above keeps on going for approx 1 minute or so and then it goes steady again but with that change at least one IP is changed, something like this:

VPN #1 – Local IP pool assignment=IP #1

VPN #2 – Local IP pool assignment=IP #5

VPN #3 – Local IP pool assignment=IP #3

VPN #4 – Local IP pool assignment=IP #4

This is what I mean with IP’s traveling/moving around. Please note that the phone notices this IP change and re-register with the ‘new’ IP (which they have for only a very short period of time, a second or less).

Regards,

Kai

Marcin Latosiewicz · ‎06-24-2010

Kai,

Phones should not re-request IP address while phase 1 and phase 2 are up - it would require those sessions to to be completly re-established.

Can you please attach:

show run crypto

show run tunnel-grou

show run group-policy

and tell me which tunnel-group you're using:

show vpn-sessiondb det would also share some more info

KAI FALKENBERG · ‎06-30-2010

show run crypto
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 40 set pfs
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-AES-128-SHA
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 60 set pfs
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-AES-128-SHA
crypto dynamic-map Outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 80 set pfs
crypto dynamic-map Outside_dyn_map 80 set transform-set ESP-AES-128-SHA
crypto dynamic-map Outside_dyn_map 80 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 100 set pfs
crypto dynamic-map Outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 100 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 100 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 120 set pfs
crypto dynamic-map Outside_dyn_map 120 set transform-set ESP-AES-128-SHA
crypto dynamic-map Outside_dyn_map 120 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 120 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 140 set pfs
crypto dynamic-map Outside_dyn_map 140 set transform-set ESP-AES-128-SHA
crypto dynamic-map Outside_dyn_map 140 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 140 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 160 set pfs
crypto dynamic-map Outside_dyn_map 160 set transform-set ESP-AES-128-SHA
crypto dynamic-map Outside_dyn_map 160 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 160 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 1
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

------------------------------------------------------------------------------------

show run tunnel-group
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) vpnphone-ip-pool
address-pool vpnphone-ip-pool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication (outside) none
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool vpnphone-ip-pool
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *

------------------------------------------------------------------------------------

show run group-policy
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 3
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
vpn-tunnel-protocol IPSec

---------------------------------------------------------------------------------

show vpn-sessiondb det

Active Session Summary

Sessions:
                           Active : Cumulative : Peak Concurrent : Inactive
SSL VPN               :       0 :          0 :               0
    Clientless only     :       0 :          0 :               0
    With client         :       0 :          0 :               0 :        0
Email Proxy           :       0 :          0 :               0
IPsec LAN-to-LAN      :       0 :          0 :               0
IPsec Remote Access   :       3 :       9477 :               5
Totals                :       3 :       9477

License Information:
IPsec   :    250    Configured :    250    Active :      3    Load :   1%
SSL VPN :    100    Configured :    100    Active :      0    Load :   0%
                            Active : Cumulative : Peak Concurrent
IPsec               :          3 :      16940 :               7
SSL VPN             :          0 :          0 :               0
    AnyConnect Mobile :          0 :          0 :               0
    Linksys Phone     :          0 :          0 :               0
Totals              :          3 :      16940

Tunnels:
               Active : Cumulative : Peak Concurrent
IKE    :          3 :       9477 :               5
IPsec :          3 :       9182 :               5
Totals :          6 :      18659

Active NAC Sessions:
No NAC sessions to display

Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display

Marcin Latosiewicz · ‎06-30-2010

Kai,

Some questions:

1.) Why all those entries in dynamic crypto map? I would say put multiple transofrmsets together rather then specifiging them one by one under different entries.

2.) What is the netmask you put on the ip local pool command /24 or /32?

3.) Can you get "show vpn-sessiondb det remote" during working and "traveling" situation?

4.) Nat traversal turned off?

Marcin

KAI FALKENBERG · ‎07-01-2010

1. would that make a difference?

2. ip local pool vpnphone-ip-pool 10.82.186.11-10.82.187.254 mask 255.255.254.0

3. show vpn-sessiondb det remote

Session Type: IPsec Detailed

Username : Ge34rfd Index : 16942

Assigned IP : 10.82.187.206 Public IP : 94.209.208.40

Protocol : IKE IPsec

License : IPsec

Encryption : 3DES AES128 Hashing : MD5 SHA1

Bytes Tx : 114424 Bytes Rx : 59704

Pkts Tx : 2065 Pkts Rx : 1380

Pkts Tx Drop : 0 Pkts Rx Drop : 0

Group Policy : VPNPHONE Tunnel Group : VPNPHONE

Login Time : 06:20:22 UTC Thu Jul 1 2010

Duration : 4h:14m:50s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

IKE Tunnels: 1

IPsec Tunnels: 1

IKE:

Tunnel ID : 16942.1

UDP Src Port : 2070 UDP Dst Port : 500

IKE Neg Mode : Aggressive Auth Mode : preSharedKeys

Encryption : 3DES Hashing : MD5

Rekey Int (T): 86400 Seconds Rekey Left(T): 71113 Seconds

D/H Group : 2

Filter Name :

IPsec:

Tunnel ID : 16942.2

Local Addr : 0.0.0.0/0.0.0.0/0/0

Remote Addr : 10.82.187.206/255.255.255.255/0/0

Encryption : AES128 Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 13513 Seconds

Idle Time Out: 3 Minutes Idle TO Left : 2 Minutes

Bytes Tx : 114424 Bytes Rx : 59704

Pkts Tx : 2065 Pkts Rx : 1380

NAC:

Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds

SQ Int (T) : 0 Seconds EoU Age(T) : 15288 Seconds

Hold Left (T): 0 Seconds Posture Token:

Redirect URL :

Username : Ge34rfd Index : 16943

Assigned IP : 10.82.187.207 Public IP : 83.163.175.230

Protocol : IKE IPsec

License : IPsec

Encryption : 3DES AES128 Hashing : MD5 SHA1

Bytes Tx : 29510300 Bytes Rx : 29375072

Pkts Tx : 108361 Pkts Rx : 107003

Pkts Tx Drop : 0 Pkts Rx Drop : 0

Group Policy : VPNPHONE Tunnel Group : VPNPHONE

Login Time : 07:08:42 UTC Thu Jul 1 2010

Duration : 3h:26m:31s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

IKE Tunnels: 1

IPsec Tunnels: 1

IKE:

Tunnel ID : 16943.1

UDP Src Port : 500 UDP Dst Port : 500

IKE Neg Mode : Aggressive Auth Mode : preSharedKeys

Encryption : 3DES Hashing : MD5

Rekey Int (T): 86400 Seconds Rekey Left(T): 74011 Seconds

D/H Group : 2

Filter Name :

IPsec:

Tunnel ID : 16943.2

Local Addr : 0.0.0.0/0.0.0.0/0/0

Remote Addr : 10.82.187.207/255.255.255.255/0/0

Encryption : AES128 Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 16412 Seconds

Idle Time Out: 3 Minutes Idle TO Left : 3 Minutes

Bytes Tx : 29520940 Bytes Rx : 29385880

Pkts Tx : 108399 Pkts Rx : 107042

NAC:

Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds

SQ Int (T) : 0 Seconds EoU Age(T) : 12389 Seconds

Hold Left (T): 0 Seconds Posture Token:

Redirect URL :

4. again would that cause the described effect?

Marcin Latosiewicz · ‎07-01-2010

Kai,

Please configure reuse delay of let's day 60 minutes...

vpn-addr-assign local reuse-delay 60

This should prohibit the clients to use same IP address for at least 60 minutes.

Regarding outputs... same user connecting from different IP addresses?

Marcin