Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1475
Views
0
Helpful
3
Replies

ASA5505 Remote Access VPN - Randomly Stops Working

Steven Tolzmann
Level 1
Level 1

‎05-10-2013 12:21 PM - edited ‎02-21-2020 06:53 PM

Hello all,

I have noticed a problem recently that our Remote Access VPN will randomly stop working. I will be able to connect and enter my Username+Password and it says Connected, but I cannot ping Remote Resources. If I check VPN Client Statistics, it shows Many Packets Sent/Encrypted, but None Received. It seems this problem affects all devices at once, but leaves the L2L tunnels intact.

It seems to randomly start working for a while, and everything seems fine until it stops working again.

I verified that it is not a firewall problem, and it occurs on multiple ISPs and computers.

We also have 2 Static L2L Tunnels, and 1 Dynamic L2L Tunnel all of which operate flawlessly. All sites/remote users use split tunneling.

Below is the config, please let me know if something seems off! Fyi, I just added the keepalives on the RA Tunnel to see if it would help, I haven't noticed any difference yet.

ASA Version 8.0(2)

!

hostname HQ-ASA5505

domain-name xxxxx.local

enable password xxxxxx

names

name 192.168.9.50 trixbox

name 192.168.9.51 trixbox2 description virtual

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxxxx 255.255.255.248

!

interface Vlan3

nameif dmz

security-level 50

ip address 10.10.9.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxxxxxxx

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server xxxxxxx

name-server xxxxxxxx

domain-name xxxxx.local

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 101 extended permit icmp any any

access-list split standard permit 192.168.0.0 255.255.0.0

access-list to_static1 extended permit ip 192.168.0.0 255.255.0.0 192.168.14.0 255.255.255.0

access-list to_static2 extended permit ip 192.168.0.0 255.255.0.0 192.168.16.0 255.255.255.0

access-list RTP extended permit udp any any range 10000 20000

access-list RTP extended permit tcp any any range 10000 20000

pager lines 24

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool RA-Pool 192.168.99.1-192.168.99.126 mask 255.255.255.128

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set transform-set ESP-3DES-SHA

crypto map outside_map 10 match address to_static1

crypto map outside_map 10 set peer xxxxx

crypto map outside_map 10 set transform-set ESP-3DES-SHA

crypto map outside_map 11 match address to_static2

crypto map outside_map 11 set peer xxxxx

crypto map outside_map 11 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.9.101-192.168.9.199 inside

dhcpd dns 192.168.9.2 208.67.222.222 interface inside

dhcpd domain xxxxx.local interface inside

dhcpd option 66 ip trixbox interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map type inspect sip default_sip

parameters

  max-forwards-validation action drop log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect rtsp

  inspect sip default_sip

!

service-policy global_policy global

group-policy xxxxx internal

group-policy xxxxx attributes

dns-server value 192.168.9.2 208.67.222.222

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

default-domain value xxxxx.local

nem enable

username user password xxxxxxxxxx encrypted privilege 0

username user attributes

vpn-group-policy xxxxx

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group xxxxx type remote-access

tunnel-group xxxxx general-attributes

address-pool RA-Pool

default-group-policy xxxxx

tunnel-group xxxxx ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 2

tunnel-group xxxxxxxxxxxxxxx type ipsec-l2l

tunnel-group xxxxxxxxxxxxxx ipsec-attributes

pre-shared-key *

tunnel-group xxxxxxxxxxxxx type ipsec-l2l

tunnel-group xxxxxxxxxxxxx ipsec-attributes

pre-shared-key *

prompt hostname context

Many thanks in advance!!

Labels:
0 Helpful
3 Replies 3

Steven Tolzmann
Level 1
Level 1

‎05-11-2013 07:13 AM

Update, still have this problem.

Sent from Cisco Technical Support iPad App

0 Helpful

Steven Tolzmann
Level 1
Level 1
In response to Steven Tolzmann

‎05-12-2013 02:21 PM

Does my RA VPN need its own crypto map maybe? Think it shares the same crypto map as the Dynamic L2L.... Thoughts?

0 Helpful

Varinder Singh
Cisco Employee
Cisco Employee
In response to Steven Tolzmann

‎05-12-2013 03:04 PM

Steve,

Configuration looks fine. RAVPN as well as Dynamic L2L uses the same Dynamic map. The idea to make the connection from a dynamic IP address.

Can you take the captures and output of following command:

capture capout interface outside match ip host xx.xx.xx.xx host zz.zz.zz.zz

sh capture capout

! where zz.zz is remote RAVPN public ip address

! xx.xx is outside interface IP address.

sh crypto ipsec sa peer zz.zz.zz

sh run all crypto isakmp

This will enable us to see if udp 4500 packets are being dropped or not.

Regards,

Varinder



P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
0 Helpful
Customers Also Viewed These Support Documents