Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
3
Replies

SA breaks down

Shibu1978
Level 1
Level 1

‎09-26-2012 08:02 PM

Dears,

I am having a  Site to site vpn between my ASA 5510 and ASA 5520..

Tunnel is work s fine... but i see sometime the SA breaks down even through there is interesting traffic from one location to other.  if do reinitiate the traffic  the SA will come up.    why would this happen?

crypto isakmp policy 9

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 140 match address outside_140_cryptomap

crypto map outside_map 140 set pfs

crypto map outside_map 140 set peer 94.*.*.*

crypto map outside_map 140 set transform-set ESP-3DES-MD5

thanks

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-27-2012 07:20 AM

Do you have keepalive configured on both ASA?

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1881746

BTW, when you said, there is interesting traffic, but if you reinitiate the traffic, the SA will come up. Do you mean that you clear down the tunnel and it is able to build the new SA? How many lines of crypto ACL do you have configured?

Before you clear down the tunnel, you are not able to pass any traffic? If you have more than one line of crypto ACL, does it happen to all ACL lines or just one particular one? and when you can't pass traffic, what does the output of "show cry ipsec sa" say?

0 Helpful

Shibu1978
Level 1
Level 1
In response to Jennifer Halim

‎09-27-2012 03:11 PM

Hi,

Do you have keepalive configured on both ASA?   

Yes ..below are the config from my side. other side also have the same thing.


group-policy TCH1 internal

group-policy TCH1 attributes

vpn-idle-timeout none

tunnel-group 94.20*.* type ipsec-l2l

tunnel-group 94.20*.* general-attributes

default-group-policy TCH1

BTW, when you said, there is interesting traffic, but if you reinitiate the traffic, the SA will come up. Do you mean that you clear down the tunnel and it is able to build the new SA? How many lines of crypto ACL do you have configured?

No ...i am not manually terminating the tunnel. it seems after a specific time tunnel goes down but there is ping to other side IPs is stil running . following crypto acl we have .


access-list outside_140_cryptomap extended permit ip 10.10.6.0 255.255.255.0 10.50.1.0 255.255.255.0

access-list outside_140_cryptomap extended permit ip 10.10.6.0 255.255.255.0 10.50.8.0 255.255.255.0

access-list outside_140_cryptomap extended permit ip host 10.10.7.19 10.50.8.0 255.255.255.0

access-list outside_140_cryptomap extended permit ip host 10.10.2.26 10.50.8.0 255.255.255.0

access-list outside_140_cryptomap extended permit ip 10.10.7.0 255.255.255.0 10.50.8.0 255.255.255.0

access-list outside_140_cryptomap extended permit ip 10.10.15.0 255.255.255.0 10.50.8.0 255.255.255.0

access-list outside_140_cryptomap extended permit ip 10.30.1.0 255.255.255.0 10.50.8.0 255.255.255.0

access-list outside_140_cryptomap extended permit ip host 10.11.1.100 10.50.8.0 255.255.255.0

Sh crypto ipsec sa output



access-list outside_140_cryptomap permit ip host 10.10.2.26 10.50.8.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.10.2.26/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (10.50.8.0/255.255.255.0/0/0)

      current_peer: 94.20*.*

      #pkts encaps: 2608, #pkts encrypt: 2608, #pkts digest: 2608

      #pkts decaps: 1250, #pkts decrypt: 1250, #pkts verify: 1250

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 2608, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 94.***, remote crypto endpt.: 94.20.*.*

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 6F72A08C

    inbound esp sas:

      spi: 0x28AA0C31 (682232881)

         transform: esp-3des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 559, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3824977/19502)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x6F72A08C (1869783180)

         transform: esp-3des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 559, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3824961/19502)

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: outside_map, seq num: 140, local addr: 94.20.*.*

      access-list outside_140_cryptomap permit ip host 10.11.1.100 10.50.8.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.11.1.100/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (10.50.8.0/255.255.255.0/0/0)

      current_peer: 94.200.*.*

      #pkts encaps: 4750, #pkts encrypt: 4750, #pkts digest: 4750

      #pkts decaps: 4750, #pkts decrypt: 4750, #pkts verify: 4750

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 4750, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 94.200.*.*, remote crypto endpt.: 94.200.*.*

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: F097590C

    inbound esp sas:

      spi: 0x220E1D6C (571350380)

         transform: esp-3des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 559, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3823481/22674)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xF097590C (4036450572)

         transform: esp-3des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 559, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3823481/22674)

         IV size: 8 bytes

         replay detection support: Y

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Shibu1978

‎09-28-2012 07:41 AM

Looks like you only have 2 SAs build (2 ACL lines).

When you say the ping is still running, do you mean that you are getting Request Times Out when the SA is cleared down?

Can you share the crypto ACL on the other sid of the tunnel as well? do they mirror image? what device is the remote vpn end?

0 Helpful
Customers Also Viewed These Support Documents