Re: S2S VPN getting stuck, Suggest permanent solution !

viplove · ‎04-23-2018

A site to site VPN on ASA is getting stuck. I have to reset ikev1 phase all the time to get it back.The S2S is VPN is between ASA and checkpoint. The source is 192.168.11.x/24 and destination are different server IP's on ASA.

NMS sits in Subnet 192.168.11.x/24 and has to monitor every server IP in Remote host list. What can i do to permanently fix this ?

GioGonza · ‎04-23-2018

Hello @viplove,

In order to know why the VPN is getting stuck we need to focus on the Logs, can you share them in case you have them?.

HTH

Gio

Marius Gunnerud · ‎04-23-2018

Is this a new setup? has this worked correctly previously?

If this is a new setup, make sure that the CheckPoint is configured to setup vpn per host (instead of per subnet which is the default).

Is this an IKEv1 or IKEv2 setup? and are the ASA and / or CheckPoint behind a NATed device?

--
Please remember to select a correct answer and rate helpful posts

viplove · ‎04-24-2018

Hi Marius,

This is not a new setup. We are using Ikev1, though no changes has been done from ASA perspective. I dont know whether they have done changes on Checkpoint.
But whats the reason for this behaviour.

Marius Gunnerud · ‎04-24-2018

There could be a number of reasons why it is getting stuck. I have seen a VPN, running IKEv2, get stuck when the ASA is behind a router performing NAT. I have seen this also when there is a mismatch in lifetime timers in Phase 2, just to name a couple.

It is quite possible that there has been a change at the CheckPoint side, perhaps it was upgraded to a new version that reset some configuration or there was a config change that has affected the tunnel. I would suggest checking with the remote end on this.

Try to run a debug on the peer and catch the transition from working to hanging / not working.

debug crypto peer x.x.x.x

debug crypto ikev1 127

debug crypto ipsec 127

Perhaps this will give us an idea what is happening.

--
Please remember to select a correct answer and rate helpful posts

viplove · ‎04-24-2018

Hi Maurius,

I have tried debugging the peer but nothing significant has been observed.
Though i have seen one common pattern everytime this happens.
ASA shows Tx increasing but the Rx remains same, that refers i'm not receiving traffic from my peer. All other S2S VPN are working fine, only this is the one that is giving issues.
Meanwhile, there was another issue of local IP clashing at both end so i have applied double NAT on ASA to sort this out. Are this IP's are giving issues ?

Regard,
Viplove Rane

Marius Gunnerud · ‎04-24-2018

It depends on the NAT you have added, I am assuming you informed the remote side of the NAT configuration and that both your side and CheckPoint side have updated the crypto ACL configuration?

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎04-24-2018

Did the problems start after you applied the NAT? or did they start before.

--
Please remember to select a correct answer and rate helpful posts

viplove · ‎04-24-2018

No it was working fine for like 6 months after i've applied NAT.
Though the instability started 20 days ago and i'm resetting the ikev1 session in every 18 hours to start it again.

viplove · ‎04-24-2018

Yes, The checkpoint administrator has been informed about the same.
I have told him to confirm phase 2 lifetime though, will try making them same on both end.

Marius Gunnerud · ‎04-24-2018

Check with the CheckPoint side to see if they have done any upgrade or config change around the time that this started that might be causing this.

--
Please remember to select a correct answer and rate helpful posts