Solved: Re: cisco ASA IPsec tunnel disconnects after some time - Page 2

hansspark · ‎12-30-2010

Hi all,

I set up a IPsec tunnel between sonicwall pro route and cisco ASA 5510 . The tunnel established well and both subnets can access each other.

Then I added a static route to one public ip on sonicwall ipsec policy , so that all traffic to that ip will go through IPsec tunnel. It's also working fine.

But the problem is aftre some times Ipsec tunnel goes down and then I need to renegotiate the ipsec on sonicwall to reestablish the tunnel.

This is happening one to two times a day. I am afraid whther this behaviour is due to the config issues. I am pasting my ASA running configuration here.Plese give some advice.

sonicwall publicip 1.1.1.2 subnet 192.168.10.0

cisco ASA publicip 1.1.1.1 subnet 192.168.5.0

ciscoasa# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 66.28.0.45
name-server 66.28.0.61
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service rdp tcp
port-object eq 3389
object-group service OpenVPN tcp
port-object eq 1194
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit tcp any host ###### eq pptp
access-list outside extended permit gre any host ######
access-list outside extended permit udp any any eq 1701
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host ###### eq ftp
access-list outside extended permit tcp any host ####### eq ssh
access-list outside extended permit tcp any host ####### object-group rdp
log disable
access-list outside extended permit tcp any host 1.1.1.1 object-group Open
VPN
access-list nonat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255
.255.255.0
access-list nonat extended permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255
.255.255.0
access-list l2l extended permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.2
55.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool ippool 192.168.5.131-192.168.5.151 mask 255.255.255.0
ip local pool l2tppool 192.168.5.155-192.168.5.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 192.168.10.0 255.255.255.0
nat (outside) 1 192.168.5.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.5.0 255.255.255.0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 38.106.51.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 5 set reverse-route
crypto dynamic-map easyvpn 10 set transform-set myset
crypto dynamic-map easyvpn 10 set reverse-route
crypto map mymap 10 match address l2l
crypto map mymap 10 set peer 1.1.1.2
crypto map mymap 10 set transform-set myset
crypto map mymap 30000 ipsec-isakmp dynamic easyvpn
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
l2tp tunnel hello 10
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 66.28.0.45 66.28.0.61
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value cisco.com
group-policy DfltGrpPolicy attributes
group-policy easyvpn internal
group-policy easyvpn attributes
dns-server value 66.28.0.45 66.28.0.61
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelall
address-pools value ippool
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool l2tppool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
pre-shared-key *
tunnel-group easyvpn type remote-access
tunnel-group easyvpn general-attributes
default-group-policy easyvpn
tunnel-group easyvpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5542615c178d2803f764c9b8f104732b
: end

hansspark · ‎01-06-2011

Hi ,

Here I am attaching the running config of ASA and screen shots of soniwall configuration along with show crypto command out puts.

One more thing I noticed is , if the first packet( which initiates the tunnel) is from cisco side to sonicwall , then on the sonicwall log 'the source' and 'destination ip' for phase2 initialization is cisco public ip. I mean both source and destination ip is cisco public ip. Is that strange?

Jennifer Halim · ‎01-06-2011

I assume that you have typo in the ASA configuration?

access-list l2l extended permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list extended extended permit ip host voip pubic ip 192.168.10.0 255.255.255.0

Can you confirm that you have the following configured instead:

access-list l2l extended permit ip host voip pubic ip 192.168.10.0 255.255.255.0

Also, even though the crypto map tag says easyvpn, but the peer address is correct at 1.1.1.2

Also, not sure why you have the following configuration (but if it's not required I would suggest that to be removed, and "clear xlate" after the removal):

nat (outside) 1 192.168.10.0 255.255.255.0

Lastly, pls disable keepalive at SonicWall.

If the above still doesn't resolve the issue, can you try to remove the dynamic crypto map from the ASA (no crypto map mymap 30000 ipsec-isakmp dynamic easyvpn), clear the tunnel, and try to initiate the tunnel again between the ASA and SonicWall and grab the output of "show cry isa sa" and "show cry ipsec sa". I am curious to see why it is still referring to the easyvpn crypto map. When you remove the dynamic crypto map, the dynamic lan-to-lan and remote access vpn client will not work.

hansspark · ‎01-06-2011

sorry it wasn't a typo on cisco config. It happened when I copy it to the text file.The acl l2l is same as you mentioned and Keepl alive is also disabled on sonicwall. But I have a doubt over access-list. In "access-list l2l extended permit ip host voip pubic ip 192.168.10.0 255.255.255.0" the source ip is mentioning as voip ip. Then the packet with source ip as voip public ip will only fall in this acl. am I right? .Then If the first packet is coming from

192.168.10.0/24 to voip ip then it will not fall on this acl (because it's destination ip is voip ip not source), but that will create the tunnel.( I believe that first packet is initiating the tunnel.) Will that be the reason it falls in to dynamic crypto map?

I wrote "nat (outside) 1 192.168.10.0 255.255.255.0" rule for the public access of 192.168.10.0/24 through ipsec. Otherwise their source ip will be in 192.168.10.0/24 range and will be blocked by other firewalls. am I right?

After hetting your reply , I will check with removing dynamic crypto.

Jennifer Halim · ‎01-06-2011

No, that is not correct.

Crypto ACL will identify what traffic should be encrypted from the ASA end towards the SonicWall end.

So assuming that VOIP server is at the ASA end, and the SonicWall LAN is 192.168.10.0/24.

On the ASA, you will have crypto ACL that says from VOIP server towards 192.168.10.0/24, and on SonicWall, you will have crypto ACL that says from 192.168.10.0/24 towards VOIP server.

And since the first packet is from 192.168.10.0/24 (behind SonicWall) towards VOIP server, it will be encrypted and send across the VPN tunnel as you have defined that in the crypto ACL.

For ""nat (outside) 1 192.168.10.0 255.255.255.0" rule for the public access of 192.168.10.0/24 through ipsec.", that is not correct.

192.168.10.0/24 will access the public internet via SonicWall (packet is not encrypted and sent towards the tunnel because it is not defined in the crypto ACL). So only traffic defines in the crypto ACL will be encrypted and sent through the tunnel, ie: between 192.168.5.0/24 and 192.168.10.0/24, and between VOIP server and 192.168.10.0/24. Everything else will go out to the Internet as normal (not encrypted, in clear text).

hansspark · ‎01-07-2011

Sorry for confusing you with "nat (outside) 1 192.168.10.0 255.255.255.0". What I meant , even for accessing voip ip (which is in internet) from sonicwall end (192.168.10.0/24) need this nat rule . am I right? othrewise packets from sonicwall LAN , destined to voip ip have source ip in (192.168.10.0/24) range.

Jennifer Halim · ‎01-07-2011

Yes, you are totally right on that point. Spot on... you will need to NAT the SonicWall LAN subnet to be able to access the VOIP server on the Internet.

hansspark · ‎01-20-2011

Hi Jeniffer first of all I am really apreciating your support in this issue. I deleted l2l acl and created again , that done the magic.

Now it works!!! There is no packet drop after the life time period.I belive there might be some typo in l2l acl...once again thanks for your support.