07-16-2020 08:51 AM
I have a Cisco ASA running 8.2.5 (yes I know its old) that we plan on decommissioning this year but unfortunately, we are a ways away from doing so. This has a site to site VPN tunnel to 4 locations, 1 is another ASA, 2 are Sonicwalls, and 1 is a Juniper SRX.
The ASA and Sonicwalls seem to work fine traffic flows without any tunnel issues. But between the SRX I am getting intermittent traffic loss between some of the networks allowed between the sites, not all networks.
Specifically, we have 4 networks on the ASA side. 172.16.20.0/24 172.16.1.0/24 10.0.4.0/24 and 10.0.6.0/24
The SRX has 10.34.0.0/16 and 172.18.5.0/24.
The intermittent issue is networks 172.16.20.0/24 and 172.18.5.0/24 will be able to communicate but 172.16.20.0/24 to 10.34.0.0/16 won't and it appears to be related to SA lifetime expiring and not getting a response or rekeying properly.
To help resolve this I have moved the SA lifetime in KB from the default value to the max value 2TB. I did this because I could not remove it from my configuration. I believe this is a limitation of the version I'm running. Since Juniper has not recommended setting a SA lifetime KB to any value I've just had to set the lifetime sec to match.
Other things I have tried so far
1. Changed the ACL on the cisco side from network-group to network group to individual network to network ACLs.
2. Changed the KB life time on the Ciso from the default value to the max value around 2TB.
3. Removed dead-peer-detection on the SRX side per Juniper.
4. Set the SRX to responder because I can't change the Cisco to responder.
Also while running show crypto ipsec sa peer x.x.x.x. the inbound esp sas and outbound esp sas lifetimes are the same. Shouldn't the Inbound be the lifetime of the SRX side? On the SRX the cisco lifetime is showing up. I'm starting to suspect that the Cisco is expiring the its key at a different time and is not able to start up a new session, but I'm not sure how to fix it yet.
Crypto map tag: RAmap, seq num: 50, local addr: Cisco public IP
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 172.16.20.0 255.255.255.0 10.34.0.0 255.255.0.0
local ident (addr/mask/prot/port): (172.16.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.34.0.0/255.255.0.0/0/0)
current_peer: SRX public IP
#pkts encaps: 1363, #pkts encrypt: 1363, #pkts digest: 1363
#pkts decaps: 1363, #pkts decrypt: 1363, #pkts verify: 1363
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1363, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: Cisco public IP, remote crypto endpt.: SRX public IP
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 9E2E7250
current inbound spi : 0F5E8421
inbound esp sas:
spi: 0x0F5E8421 (257852449)
transform: esp-aes-192 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 30298112, crypto-map: RAmap
sa timing: remaining key lifetime (kB/sec): (2038431662/27393)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9E2E7250 (2653844048)
transform: esp-aes-192 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 30298112, crypto-map: RAmap
sa timing: remaining key lifetime (kB/sec): (2038431662/27393)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
From SRX firewall same pair of internal networks
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<67108877 ESP:aes-cbc-192/sha1 14fc4259 14597/ 2147483647 - root 500 Cisco public IP
>67108877 ESP:aes-cbc-192/sha1 10dd5e0c 14597/ 2147483647 - root 500 Cisco public IP
<67108877 ESP:aes-cbc-192/sha1 9e2e7250 27359/ 2147483647 - root 500 Cisco public IP
>67108877 ESP:aes-cbc-192/sha1 f5e8421 27359/ 2147483647 - root 500 Cisco public IP
top pair SRX lifetime
bottom pair Cisco.
From another SA session there is no outbound esp sas
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 172.16.20.0 255.255.255.0 172.18.5.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.18.5.0/255.255.255.0/0/0)
current_peer:SRX public IP
#pkts encaps: 5690, #pkts encrypt: 5690, #pkts digest: 5690
#pkts decaps: 3636, #pkts decrypt: 3636, #pkts verify: 3636
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5690, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: Cisco Public IP, remote crypto endpt.: SRX public IP
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 38DCBF3D
current inbound spi : 33D97A5E
inbound esp sas:
spi: 0x33D97A5E (869890654)
transform: esp-aes-192 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 30298112, crypto-map: RAmap
sa timing: remaining key lifetime (kB/sec): (2038430481/27415)
IV size: 16 bytes
replay detection support: Y
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide