05-13-2009 07:19 AM - edited 02-21-2020 04:14 PM
SIte 1 NAT'd clients behind ASA5540 connect over IPSec tunnel to Site 2 behind ISA2006 using pre-shared Key
* Able to establish the Tunnel
* Able to ping both ways
* Able to join Win domain at Site 1 from Client at Site 2
Tunnel periodically drops (15 minutes~ish)
Site 2 Client loses ping to SIte 1 altogether
Site 1 Client ping to Site 2 fails on 1st, then succeeds on next few
Then Site 2 can again ping Site 1
Seeing 713122 (keep-alives configured on but peer does not support keep-alives...) on ASA, but cannot find where to fix on ISA or disable on ASA (if that's even the right approach)
05-13-2009 02:44 PM
Which site is the ASA, and which site is the ISA?
Can Site 2 bring the tunnel back up by pinging, or is it the case that it can only be brought up by Site 1?
Can you post up any more config / debugs?
I recently had a multi-vendor tunnel that kept dropping and only one end could bring it back up - turned out it was because PFS was enabled at the non-Cisco end, whereas at the Cisco end it is disabled by default.
Assuming PFS has not been explicitly configured on the ASA you could try disabling it on the ISA (I believe this is in properties -> phase II).
05-14-2009 04:01 AM
Sorry, looks like I confused my sites in the description...
Site 1 = ISA2006
Site 2 = ASA5540
* Able to establish the Tunnel
* Able to ping both ways
* Able to join Client at Site 2 (behind ASA) to Win domain at Site 1 (behind ISA)
Tunnel periodically drops (15 minutes~ish)
- Client behind ASA loses ping to ISA Site altogether
- ISA Client ping to ASA Site fails on 1st, then succeeds on next few
- Then ASA Site can again ping ISA Site
- I can only get the tunnel to re-establish by pinging from ISA Side back to ASA side
PFS has been explicitly enabled on both ends
Would be happy to post config/debug info... what helps?
05-17-2009 09:31 AM
I would post the crypto map & isakmp configuration from the ASA, along with the ACL that defines interesting traffic. Then go into the properties of the tunnel on the ISA and make a note of the P1 and P2 settings there.
You could try debugs like debug crypto ipsec & debug crypto isakmp.
This is assuming that the internet connection at both sites is stable of course :-)
05-18-2009 04:18 AM
ASA Side:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set BV esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside-untrust_map 1 match address Outside-untrust_1_cryptomap
crypto map Outside-untrust_map 1 set pfs
crypto map Outside-untrust_map 1 set peer <
crypto map Outside-untrust_map 1 set transform-set ESP-3DES-SHA
crypto map Outside-untrust_map 1 set security-association lifetime seconds 28800
crypto map Outside-untrust_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside-untrust_map 1 set reverse-route
crypto map Outside-untrust_map interface Outside-untrust
crypto isakmp enable Outside-untrust
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ISA Side:
PhaseI:
Encryption Algorithm: 3DES
Integrity Algorithm: SHA1
DH Group: Group 2 (1024 bit)
Auth & Generate New Key: 86400 Seconds
PhaseII:
Encryption Algorithm: 3DES
Integrity Algorithm: SHA1
New Key Every 4608000 Kb, 28800 Sec
Use PFS DH Group 2 (1024 Bit)
ACL:
access-list inbound extended permit ip <
access-list Outside-untrust_1_cryptomap extended permit ip <
access-list Inside-trust_nat0_outbound extended permit ip <
access-list Inside-trust_access_in remark External Web Access
access-list Inside-trust_access_in extended permit tcp <
access-list Inside-trust_access_in extended permit ip <
05-18-2009 05:58 AM
And this is what I see after it drops:
4|May 18 2009|09:48:28|713903|||||IP = <
3|May 18 2009|09:48:28|713902|||||IP = <
6|May 18 2009|09:48:11|713219|||||IP = <
6|May 18 2009|09:48:06|713219|||||IP = <
6|May 18 2009|09:48:01|713219|||||IP = <
5|May 18 2009|09:47:56|713041|||||IP = <
05-20-2009 08:21 AM
Sorry for the delay - at first glance it would appear that the P1 & P2 settings match, and I don't have any immediate ideas unfortunately... perhaps someone else would like to jump in?
You could try enabling periodic dead peer detection at both ends, possibly?
crypto isakmp keepalive seconds [retries] [periodic | on-demand]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide