cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
236
Views
0
Helpful
0
Replies
Zeljko Milinovic
Beginner

Ipsec ikev1 ASA Tunnel droping down.

Greetings people.

 

I have a typical ISAKMP/IKEV1 Hub-and-spoke topology.

My hub is ASA5510 and spokes are 5505.

On one of the spokes 5505 , I have two tunnels , one to the HUB and another to another SPOKE.

The tunnel to the HUB from asa 5505 is breaking as soon as some traffic gets trough, or sometimes in general. The breaks during the production hours occur every 20 minutes someties every hour. The tunnel comes back pretty fast, in a couple of minutes but still it is breaking. I have an asa846-k8 image on the spoke.

The interesting thing that the tunnel on that spoke to the other spoke is not breaking so often, but it does not have so much traffic on it, as the problematic one.

I have checked the configurations, and the tunnel settings are the same on both sides like the auth protocol, the DH group and similar.

I will post some configs here. I also have tried to use the debug crypto ikev1 but did not get anything useful there.

SPOKE

crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

crypto map CoCo_map 1 match address CoCo_cryptomap
crypto map CoCo_map 1 set pfs
crypto map CoCo_map 1 set peer xxx.xxx.xxx.xxx
crypto map CoCo_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

 

HUB

crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer x.x.x.x.
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map interface outside
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400


If there is any more conf outputs I will be glad to send. I have tried to collect some info with PRTG Asa VPN SNMP traffic sensor but no luck in getting it to work.

 

Thanks in advance.

 

 

 

0 REPLIES 0
Content for Community-Ad