Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1410
Views
0
Helpful
2
Replies

Site-to-site ASA 5505 to Nortel

ralphy006
Level 1
Level 1

‎11-02-2012 06:20 PM

Hi guys,

I have a site-to-site VPN set up with an ASA to a Nortel device.

The VPN tunnel comes up, but has intermittent problems when Citrix is being used through the tunnel. The Citrix connection will drop every now and then. I will post my configs, as well as debugs of isakmp sa and ipsec sa.

My intial guess is that it is an MTU issue. The Nortel is set at 1500 MTU, but I am wondering if I need to set me "mtu 1442 outside" on the ASA side, since my config shows path mtu 1500, ipsec overhead 58

A.A.A.A: External IP of local FW

B.B.B.B: External IP of Nortel FW

C.C.C.C: Local internal subnet

D.D.D.D: Nortel side Internal subnet

Config ASA side:

access-list outside_30_cryptomap extended permit ip object-group INSIDE-C.C.C.C object-group NORTEL-D.D.D.D

tunnel-group B.B.B.B type ipsec-l2l

tunnel-group B.B.B.B ipsec-attributes

pre-shared-key XXXXXXX

!phase 2 IPSEC

crypto map outside_map 30 match address outside_30_cryptomap

crypto map outside_map 30 set pfs group2

crypto map outside_map 30 set peer B.B.B.B

crypto map outside_map 30 set transform-set ESP-3DES-MD5

crypto map outside_map 30 set security-association lifetime seconds 57600

!phase 1 ISAKMP

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 57600

isakmp keepalive threshold 60

Nortel side: matching timers, MTU (1500), and encryptions

show isakmp and ipsec:

CUSTOMER-fw01(config)# show ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 30, local addr: B.B.B.B

      access-list outside_30_cryptomap extended permit ip C.C.C.C 255.255.255.0 D.D.D.D 255.254.0.0

      local ident (addr/mask/prot/port): (C.C.C.C/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (D.D.D.D/255.254.0.0/0/0)

      current_peer: B.B.B.B

      #pkts encaps: 41513, #pkts encrypt: 41513, #pkts digest: 41513

      #pkts decaps: 53016, #pkts decrypt: 53016, #pkts verify: 53016

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 41513, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: A.A.A.A, remote crypto endpt.: B.B.B.B

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 6EAFA177

      current inbound spi : 278CC031

    inbound esp sas:

      spi: 0x278CC031 (663535665)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 16384, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3889258/55747)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x6EAFA177 (1857003895)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 16384, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3911346/55747)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

cpsystems2214-fw01(config)# show isakmp sa detail

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: B.B.B.B

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

    Encrypt : 3des            Hash    : MD5      

    Auth    : preshared       Lifetime: 57600

    Lifetime Remaining: 55729

cpsystems2214-fw01(config)# show isakmp

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: B.B.B.B

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 4

In Octets: 7300

In Packets: 85

In Drop Packets: 54

In Notifys: 41

In P2 Exchanges: 0

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 2

Out Octets: 9480

Out Packets: 74

Out Drop Packets: 0

Out Notifys: 0

Out P2 Exchanges: 4

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 1

Initiator Tunnels: 6

Initiator Fails: 2

Responder Fails: 10

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

Global IPSec over TCP Statistics

--------------------------------

Embryonic connections: 0

Active connections: 0

Previous connections: 0

Inbound packets: 0

Inbound dropped packets: 0

Outbound packets: 0

Outbound dropped packets: 0

RST packets: 0

Recevied ACK heart-beat packets: 0

Bad headers: 0

Bad trailers: 0

Timer failures: 0

Checksum errors: 0

Internal errors: 0

DEBUG:

Oct 31 11:05:19 [IKEv1]: IP = B.B.B.B, Received an un-encrypted INVALID_COOKIE notify message, dropping

Oct 31 11:05:19 [IKEv1]: IP = B.B.B.B, Information Exchange processing failed

%ASA-4-713903: IP = B.B.B.B, Information Exchange processing failed

Oct 31 11:05:19 [IKEv1]: IP = B.B.B.B, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40

Oct 31 11:05:19 [IKEv1]: IP = B.B.B.B, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40

Oct 31 11:05:19 [IKEv1]: IP = B.B.B.B, Received an un-encrypted INVALID_COOKIE notify message, dropping

Oct 31 11:05:19 [IKEv1]: IP = B.B.B.B, Information Exchange processing failed

Oct 31 11:05:27 [IKEv1 DEBUG]: IP = B.B.B.B, IKE MM Responder FSM error history (struct &0xca8985b8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent

Oct 31 11:05:27 [IKEv1 DEBUG]: IP = B.B.B.B, IKE SA MM:14f60bae terminating:  flags 0x01000002, refcnt 0, tuncnt 0

Oct 31 11:05:27 [IKEv1 DEBUG]: IP = B.B.B.B, sending delete/delete with reason message

Oct 31 11:13:02 [IKEv1 DEBUG]: IP = B.B.B.B, IKE MM Responder FSM error history (struct &0xc9508888)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent

Oct 31 11:13:02 [IKEv1 DEBUG]: IP = B.B.B.B, IKE SA MM:7455bd80 terminating:  flags 0x01000002, refcnt 0, tuncnt 0

Oct 31 11:13:02 [IKEv1 DEBUG]: IP = B.B.B.B, sending delete/delete with reason message

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎11-02-2012 08:46 PM

Keep the outside MTU as 1500.

If you believe it might be MTU issue, change the MSS value on the ASA to perhaps 1380, so the application itself negotiated for a lower MTU so it doesn't fragment the packet if it's over 1500.

On the ASA:

sysopt connection tcpmss 1380

0 Helpful

ralphy006
Level 1
Level 1
In response to Jennifer Halim

‎11-05-2012 08:56 AM

Looks like the default for that value is 1380. So I shouldn't have to explicitly define that.

0 Helpful
Customers Also Viewed These Support Documents