Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
10
Helpful
4
Replies

ASA - Don't restart VPN automatically

rafael.deves
Level 1
Level 1

‎01-20-2022 08:33 AM

Hy all,

 

I'm facing a problem in my company. We have many VPN connections with our customers, but in one case, when VPN goes down is necessary to up manually.

 

Does Somebody have an idea about this problem?

 

Since now, thanks in advance.

Labels:
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎01-20-2022 08:52 AM

how is your configuration looks like, what is device is other side ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rafael.deves
Level 1
Level 1
In response to balaji.bandi

‎01-21-2022 12:14 PM

Hello Balaji Bandi,

 

Follow my configuration. naturally, I change the real values:

 

!### IP ADDRES PEER PARTNER ###
name 177.1.1.1 L2L-TEF_PARTNER description ### ### peer VPN Lan2Lan with TEF_PARTNER

 

!### Objects of PARTNER ###

object network TEF-PART-192.168.10.1
host 192.168.10.1

object network TEF-PART-192.168.10.2
host 192.168.10.2

object network TEF-PART-192.168.10.3
host 192.168.10.3

 

!### My Objects ####

object network SERVER-1.1.1.1
host 1.1.1.1

object network 192.168.1.1
host 192.168.1.1

object service 9123
service tcp destination eq 9123

object service 9456
service tcp destination eq 9456

object service 9789
service tcp destination eq 9789

 

!### ACLS- MATCH- Encrypted Domain - Interesting Traffic ###

access-list TEF_PART_L2L_ACL remark ### Encrypted Domain - Lan2Lan com TEF_PART ###

access-list TEF_PART_L2L_ACL extended permit ip host 192.168.10.1 host 192.168.1.1
access-list TEF_PART_L2L_ACL extended permit ip host 192.168.1.1 host 192.168.10.1

access-list TEF_PART_L2L_ACL extended permit ip host 192.168.10.2 host 192.168.1.1
access-list TEF_PART_L2L_ACL extended permit ip host 192.168.1. host 192.168.10.2

access-list TEF_PART_L2L_ACL extended permit ip host 192.168.10.3 host 192.168.1.1
access-list TEF_PART_L2L_ACL extended permit ip host 192.168.1. host 192.168.10.3

 

!### ACLS - MATCH- FILTER TRAFFIC ###

access-list TEF_PART_L2L_FILTER remark ### FILTER -L2L PART ###

access-list TEF_PART_L2L_FILTER extended permit tcp host 192.168.10.1 host 192.168.1.1 eq 9123
access-list TEF_PART_L2L_FILTER extended permit tcp host 192.168.10.1 eq 9123 host 192.168.1.1


access-list TEF_PART_L2L_FILTER extended permit tcp host 192.168.10.2 host 192.168.1.1 eq 9456
access-list TEF_PART_L2L_FILTER extended permit tcp host 192.168.10.2 eq 9456 host 192.168.1.1

 

access-list TEF_PART_L2L_FILTER extended permit tcp host 192.168.10.3 host 192.168.1.1 eq 9789
access-list TEF_PART_L2L_FILTER extended permit tcp host 192.168.10.3 eq 9789 host 192.168.1.1

 

access-list TEF_PART_L2L_FILTER extended permit icmp any4 any4



!### NAT CHANGE DESTINY ###

nat (OUTSIDE,INSIDE) source static TEF-PART-192.168.10.1 TEF-PART-192.168.10.1 destination static 192.168.1.1 1.1.1.1 service 9123 9123 net-to-net unidirectional
nat (OUTSIDE,INSIDE) source static TEF-PART-192.168.10.2 TEF-PART-192.168.10.2 destination static 192.168.1.1 1.1.1.1 service 9456 9456 net-to-net unidirectional
nat (OUTSIDE,INSIDE) source static TEF-PART-192.168.10.3 TEF-PART-192.168.10.3 destination static 192.168.1.1 1.1.1.1 service 9789 9789 net-to-net unidirectional


!### NAT CHANGE SOURCE ###

nat (INSIDE,OUTSIDE) source static 1.1.1.1 192.168.1.1 destination static TEF-PART-192.168.10.1 TEF-PART-192.168.10.1
nat (INSIDE,OUTSIDE) source static 1.1.1.1 192.168.1.1 destination sta1ic TEF-PART-192.168.10.2 TEF-PART-192.168.10.2
nat (INSIDE,OUTSIDE) source static 1.1.1.1 192.168.1.1 destination static TEF-PART-192.168.10.3 TEF-PART-192.168.10.3

 

!### CRYPTO PROPOSAL ###

crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA_v2
protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm aes-256 aes-192 aes 3des
protocol esp integrity sha-512 sha-384 sha-256 sha-1 md5

 

!### CRYPTO MAP ###

crypto map MYCOMPANY 123 match address TEF_PART_L2L_ACL
crypto map MYCOMPANY 123 set peer 177.1.1.1
crypto map MYCOMPANY 123 set ikev2 ipsec-proposal ESP-AES-256-SHA_v2

 

!### GROUP-POLICY ###

group-policy TEF-PART_L2L internal

group-policy TEF-PART_L2L attributes
vpn-filter value TEF_PART_L2L_FILTER
vpn-tunnel-protocol ikev2


!### TUNNEL-GROUP ###

tunnel-group 177.1.1.1 type ipsec-l2l
tunnel-group 177.1.1.1 general-attributes
default-group-policy TEF-PART_L2L

 

!### TUNNEL-GROUP - Pré-Shared Key ###

tunnel-group 177.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key 123456789
ikev2 local-authentication pre-shared-key 123456789


!### CRYPTO IKEV2

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400

crypto ikev2 policy 2
encryption aes-256 aes-192 aes 3des des
integrity sha512 sha384 sha256 sha md5
group 21 20 19 24 14 5 2 1
prf sha512 sha384 sha256 sha md5
lifetime seconds 86400

crypto ikev2 enable OUTSIDE

 

0 Helpful

Rob Ingram
VIP
VIP

‎01-20-2022 08:54 AM

@rafael.deves the VPN lifetimes might be different, compare these with the 3rd parties configuration.

Also check to see if you have Dead Peer Detection (DPD) keepalives to clear stale IPSec SAs.

0 Helpful

MHM Cisco World
VIP
VIP

‎01-20-2022 10:59 AM - edited ‎01-26-2022 11:18 AM

lifetime you config is OK, but still the both peer negotiation lifetime and decide the lowest value, so can you check if the lifetime is same as you config in ASA .

0 Helpful
Customers Also Viewed These Support Documents