09-26-2012 08:02 PM
Dears,
I am having a Site to site vpn between my ASA 5510 and ASA 5520..
Tunnel is work s fine... but i see sometime the SA breaks down even through there is interesting traffic from one location to other. if do reinitiate the traffic the SA will come up. why would this happen?
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 140 match address outside_140_cryptomap
crypto map outside_map 140 set pfs
crypto map outside_map 140 set peer 94.*.*.*
crypto map outside_map 140 set transform-set ESP-3DES-MD5
thanks
09-27-2012 07:20 AM
Do you have keepalive configured on both ASA?
Here is the command for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1881746
BTW, when you said, there is interesting traffic, but if you reinitiate the traffic, the SA will come up. Do you mean that you clear down the tunnel and it is able to build the new SA? How many lines of crypto ACL do you have configured?
Before you clear down the tunnel, you are not able to pass any traffic? If you have more than one line of crypto ACL, does it happen to all ACL lines or just one particular one? and when you can't pass traffic, what does the output of "show cry ipsec sa" say?
09-27-2012 03:11 PM
Hi,
Do you have keepalive configured on both ASA?
Yes ..below are the config from my side. other side also have the same thing.
group-policy TCH1 internal
group-policy TCH1 attributes
vpn-idle-timeout none
tunnel-group 94.20*.* type ipsec-l2l
tunnel-group 94.20*.* general-attributes
default-group-policy TCH1
BTW, when you said, there is interesting traffic, but if you reinitiate the traffic, the SA will come up. Do you mean that you clear down the tunnel and it is able to build the new SA? How many lines of crypto ACL do you have configured?
No ...i am not manually terminating the tunnel. it seems after a specific time tunnel goes down but there is ping to other side IPs is stil running . following crypto acl we have .
access-list outside_140_cryptomap extended permit ip 10.10.6.0 255.255.255.0 10.50.1.0 255.255.255.0
access-list outside_140_cryptomap extended permit ip 10.10.6.0 255.255.255.0 10.50.8.0 255.255.255.0
access-list outside_140_cryptomap extended permit ip host 10.10.7.19 10.50.8.0 255.255.255.0
access-list outside_140_cryptomap extended permit ip host 10.10.2.26 10.50.8.0 255.255.255.0
access-list outside_140_cryptomap extended permit ip 10.10.7.0 255.255.255.0 10.50.8.0 255.255.255.0
access-list outside_140_cryptomap extended permit ip 10.10.15.0 255.255.255.0 10.50.8.0 255.255.255.0
access-list outside_140_cryptomap extended permit ip 10.30.1.0 255.255.255.0 10.50.8.0 255.255.255.0
access-list outside_140_cryptomap extended permit ip host 10.11.1.100 10.50.8.0 255.255.255.0
Sh crypto ipsec sa output
access-list outside_140_cryptomap permit ip host 10.10.2.26 10.50.8.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.2.26/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.50.8.0/255.255.255.0/0/0)
current_peer: 94.20*.*
#pkts encaps: 2608, #pkts encrypt: 2608, #pkts digest: 2608
#pkts decaps: 1250, #pkts decrypt: 1250, #pkts verify: 1250
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2608, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 94.***, remote crypto endpt.: 94.20.*.*
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 6F72A08C
inbound esp sas:
spi: 0x28AA0C31 (682232881)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 559, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824977/19502)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x6F72A08C (1869783180)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 559, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824961/19502)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 140, local addr: 94.20.*.*
access-list outside_140_cryptomap permit ip host 10.11.1.100 10.50.8.0 255.255.255.0
local ident (addr/mask/prot/port): (10.11.1.100/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.50.8.0/255.255.255.0/0/0)
current_peer: 94.200.*.*
#pkts encaps: 4750, #pkts encrypt: 4750, #pkts digest: 4750
#pkts decaps: 4750, #pkts decrypt: 4750, #pkts verify: 4750
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4750, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 94.200.*.*, remote crypto endpt.: 94.200.*.*
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F097590C
inbound esp sas:
spi: 0x220E1D6C (571350380)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 559, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3823481/22674)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xF097590C (4036450572)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 559, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3823481/22674)
IV size: 8 bytes
replay detection support: Y
09-28-2012 07:41 AM
Looks like you only have 2 SAs build (2 ACL lines).
When you say the ping is still running, do you mean that you are getting Request Times Out when the SA is cleared down?
Can you share the crypto ACL on the other sid of the tunnel as well? do they mirror image? what device is the remote vpn end?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide