ā01-08-2013 08:47 PM
We have a site to site VPN with our business partner. Site A is 5515 and site B is mcafee (sidewinders ) firewall.
Randomly the VPN will drop and application will stop working. All applications are running from Site A (where 5515 is residing)
Sometimes the application fails even though the VPN is up. What is odd is if I reset the VPN on ASA and mcafee side the application will start working after restarting the application.
Also the performance of the application is not good. I tried adjusting the sysopt mss but it did not help.
I am not sure what is wrong with this configuration.
I was wondering if u guys have any advice?
NOTE: The application is TCP based and does a lot of writes on the other side of the VPN (Site B) to the oracle database server.
I was also wondering what is the purpose of timeout tcp-proxy-reassembly 0:01:00
Here is the ASA config.
ASA Version 8.6(1)
!
hostname as-ciscoasa-5515
domain-name xxxsystems.com
enable password IwcadQrUfCKovNfC encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Outside Interface of new firewall
nameif outside
security-level 0
ip address xx.13.8.50 255.255.255.248
!
interface GigabitEthernet0/1
description inside interface of new firewall
nameif inside
security-level 100
ip address 192.168.207.254 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ interface for Web & Ftp server
nameif dmz
security-level 50
ip address 10.168.1.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Out of Band Management Interface
nameif management
security-level 90
ip address 192.168.1.1 255.255.255.0
management-only
!
!
time-range 24x7
!
banner login *********************************************************
banner login THIS SYSTEM IS FOR xxxx SYSTEMS INC. USE ONLY !!!!!
banner login Unauthorized access to and/or use of this computer system
banner login is violation of law and is punishable under provisions of
banner login applicable statutes. Use of this system constitutes consent
banner login to security testing and monitoring.
banner login *********************************************************
banner asdm *********************************************************
banner asdm THIS SYSTEM IS FOR xxxx SYSTEMS INC. USE ONLY !!!!!
banner asdm Unauthorized access to and/or use of this computer system
banner asdm is violation of law and is punishable under provisions of
banner asdm applicable statutes. Use of this system constitutes consent
banner asdm to security testing and monitoring.
banner asdm *********************************************************
boot system disk0:/asa861-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 68.115.71.53
name-server 24.196.64.53
domain-name xxxxystems.com
object network dotsubnet218
subnet 10.147.218.0 255.255.254.0
object network dotsubnet4
subnet 10.147.4.0 255.255.255.0
object network dotsubnet50
subnet 10.147.50.0 255.255.254.0
object network dotsubnet7
subnet 10.147.7.0 255.255.255.0
object network dotsubnet90
subnet 10.147.90.0 255.255.254.0
object network inside-network
subnet 192.168.207.0 255.255.255.0
description inside network
object network inside-out
subnet 192.168.207.0 255.255.255.0
object network oraop01
host 10.147.90.56
object service www
service tcp source eq www destination eq www
object network www1
host 192.168.207.235
object network 5515
host 192.168.207.35
object network webserver
host 71.13.8.51
description Web Server IP Address (Inside)
object network new-www
host 192.168.207.235
object-group network DM_INLINE_NETWORK_1
network-object object dotsubnet7
network-object object dotsubnet90
network-object object dotsubnet4
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_2
network-object object dotsubnet4
network-object object dotsubnet7
network-object object dotsubnet90
network-object object oraop01
object-group network DM_INLINE_NETWORK_3
network-object object dotsubnet4
network-object object dotsubnet7
network-object object dotsubnet90
network-object object oraop01
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 object inside-network object-group DM_INLINE_NETWORK_3
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list global_access extended permit icmp any any
access-list global_access extended permit icmp any object new-www
access-list global_access extended permit tcp any object new-www eq www
access-list xxxxxx-Systems-Subnet remark Allow Access to xxxxxxSystems Network
access-list xxxxxx-Systems-Subnet standard permit 192.168.207.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1400
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN-DHCP-Pool 192.168.206.10-192.168.206.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.147.0.0 255.255.0.0 outside
icmp permit any outside
icmp permit any inside
icmp permit any dmz
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network inside-network destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
!
object network inside-out
nat (any,outside) static interface
object network new-www
nat (inside,outside) static 71.13.8.51
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 71.13.8.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 60
http 192.168.1.0 255.255.255.0 management
http 192.168.207.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1100
sysopt connection preserve-vpn-flows
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.134.2
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 43200
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime none
telnet timeout 5
ssh 192.168.207.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
console timeout 0
dhcpd address 192.168.207.21-192.168.207.234 inside
dhcpd dns 68.115.71.53 interface inside
dhcpd ping_timeout 750 interface inside
dhcpd domain xxxxxxsystems.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5
webvpn
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 3
group-policy GroupPolicy_x.x.134.2 internal
group-policy GroupPolicy_x.x.134.2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
group-policy RemoteAccessVPN-xxxxxxSystems-Inc-Group-Policy internal
group-policy RemoteAccessVPN-xxxxxxSystems-Inc-Group-Policy attributes
banner value *********************************************************
banner value THIS SYSTEM IS FOR xxxxxx SYSTEMS INC. USE ONLY !!!!!
banner value Unauthorized access to and/or use of this computer system
banner value is violation of law and is punishable under provisions of
banner value applicable statutes. Use of this system constitutes consent
banner value to security testing and monitoring.
banner value *********************************************************
dns-server value 192.168.207.235
vpn-access-hours value 24x7
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value xxxxxx-Systems-Subnet
vpn-tunnel-protocol ikev1
password-storage enable
ip-comp enable
re-xauth enable
group-lock value RemoteAccessVPN-xxxxxxSystems-Inc
pfs enable
ipsec-udp enable
split-tunnel-policy tunnelall
default-domain value xxxxxxsystems.com
username milind password ASZJyNjPKDhBt550 encrypted
username milind attributes
vpn-group-policy RemoteAccessVPN-xxxxxxSystems-Inc-Group-Policy
group-lock value RemoteAccessVPN-xxxxxxSystems-Inc
username admin password xybduiDZ39uOf5jx encrypted privilege 15
username garyl password iS0J9AX.XdOV.UtO encrypted
username garyl attributes
vpn-group-policy RemoteAccessVPN-xxxxxxSystems-Inc-Group-Policy
group-lock value RemoteAccessVPN-xxxxxxSystems-Inc
username dshah password QFCzXoiTw/uLllIy encrypted privilege 15
tunnel-group x.x.134.2 type ipsec-l2l
tunnel-group x.x.134.2 general-attributes
default-group-policy GroupPolicy_x.x.134.2
tunnel-group x.x.134.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group RemoteAccessVPN-xxxxxxSystems-Inc type remote-access
tunnel-group RemoteAccessVPN-xxxxxxSystems-Inc general-attributes
address-pool VPN-DHCP-Pool
default-group-policy RemoteAccessVPN-xxxxxxSystems-Inc-Group-Policy
tunnel-group RemoteAccessVPN-xxxxxxSystems-Inc ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 13
subscribe-to-alert-group configuration periodic monthly 13
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a73c56c195e2d9215cddece3066cd891
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide