Solved: Re: Site to site VPN router-ASA5505

adriatikb · ‎08-10-2010

Hello

i have a problem with vpn connection between ASA5505 and router 3825.

behind ASA we have a server which is serving on specific port. If for some reason link is disconnected the VPN will not become active if we do not generate a traffic from this server. after generating even a ping VPN immediately become active and communication start. another case is when we reboot ASA the VPn is not created without ping from server behind this ASA.

how we could solve this without sending a traffing from that serve?

how can access remotely this ASA, can i access internal interface? if i open access on port 443 on outside interface of asa could i access it ? or i have to exclude also from VPN this traffic

i used wizard VPN to configure on asa and CLI on Router

some command from troubleshootingand configuration, if this is not enough please let me know what you need else.

thank you in advance for your help

ciscoasa# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.10.10.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : AM_ACTIVE

Configuration From ASA.

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 10.10.10.1
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

configuration from main Router

crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key 6 _JQfe[BeRGNBCGfbGxxxxxxxxx address 10.10.10.10

crypto ipsec transform-set xxxxx esp-des esp-md5-hmac

crypto map ETH0 2696 ipsec-isakmp
set peer 10.10.10.10
set transform-set xxxxx
match address 2001

access-list 2001 permit ip any 192.168.26.96 0.0.0.7

Message was edited by: adriatikb i just read somewhere that if could change the VPN type from "bi-direcitonal" to either "intiator" or "responder" could help me but i test and no result.

andgroup301 · ‎09-01-2010

I had the same problem last week, and the TAC Engineer on our service ticket had me downgrade from IOS 8.2(3) to 8.2(1). Since then it has been working great.

View solution in original post

andamani · ‎01-01-2011

Hi,

Looks like there is a phase 2 mismatch.

From the crypto configuration i see that you have pfs enabled on ASA but not on router. Please remove the following command:

crypto map outside_map 1 set pfs group1

Regards,

Anisha.

View solution in original post

JORGE RODRIGUEZ · ‎08-15-2010

You need to enable DPD (Dead Peer Detection ) on both ends router and firewall

any IOS version

router(config)#crypto isakmp keepalive 15 periotic

under PIX code 6.x

pix(config)#isakmp keepalive 15

under ASA code 7.x above , enable (isakmp keepalive 15)

tunnel-group ipsec-attributes

isakmp keepalive threshold 15 retry 10

Here are some references

a must to have link for L2L troubleshooting reference

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution07

IOS DPD how it works

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtdpmo.html

Another obtion you could utilize to keep tunnel up if idle for a long period of time without the use of DPD is if this tunnel for example had been a trusted branch you could setup a NTPserver in one end and on other end configured a cisco device to pool NTP from other end to NTPserver, the ntp packets are very small 128kb this will keep your tunnel UP at all times, but if this is not your case then DPD is what you need .

Good luck

Regards

Jorge Rodriguez

adriatikb · ‎08-31-2010

thank you for your replay,

what I just use till now it is something same as your last proposal with NTP server, i used crone job every 1 hour with 5 pings.

also i use Sla monitoring

sla monitor 1
type echo protocol ipIcmpEcho 192.168.6.2 interface inside
threshold 1000
sla monitor schedule 1 life forever start-time now

I don't know what one of them is working but is fine till now , today i will try also your DPD proposal on both tunnel ends.

I have another issue which it seems different from other ASA5510 -5520.

i cant access and manage ASA5505 from outside interface even i have configured all needed lines for this.

HTPS and SSH s not working from outside even this traffic is not interesting traffic of vpn

please any suggestion?

AB

andgroup301 · ‎09-01-2010

I had the same problem last week, and the TAC Engineer on our service ticket had me downgrade from IOS 8.2(3) to 8.2(1). Since then it has been working great.

adriatikb · ‎09-06-2010

I just downgraded and it seems that is working.

thanks

AB

adriatikb · ‎12-27-2010

hello,

i have same issue whith the other asa 5505 firewall. i have same configuration as the first one which is working now.

the problem is same even i have downgraded the image to 8.2.1.

the tunnel can only be initiated on one site form asa side. if the vpn is down and the first request come from router side it will not start tunnel.

on debug i can see below message:

Dec 27 03:21:14 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, QM FSM error (P2 struct &0xc9239b08, mess id 0x833fdbf6)!
Dec 27 03:21:14 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, Removing peer from correlator table failed, no match!
Dec 27 03:21:35 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, QM FSM error (P2 struct &0xc9239b08, mess id 0x5fde46d5)!
Dec 27 03:21:35 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, Removing peer from correlator table failed, no match!
Dec 27 03:21:45 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, QM FSM error (P2 struct &0xc9239b08, mess id 0xa3080eec)!
Dec 27 03:21:45 [IKEv1]: Group = 10.10.10.1, IP = 10.10.10.1, Removing peer from correlator table failed, no match!

could you sugest me what to do in this case.

thanks

praprama · ‎12-29-2010

Hi,

Could you post "debug cry isa" and "debug cry ips" from the router and "debug cry isa 127" and "debug cry ips 127" from the ASA when initiating the tunnel from the router?

Cheers,

Prapanch

adriatikb · ‎12-29-2010

Hi Prapanch

atteached you will find two txt file with debug on asa and router.

please be informed that on router are terminated other vpn from other sites.

outside ip of router where is build VPN is 10.10.10.1 and outside ip of asa is 10.10.10.14

thanks

Adriatik

andamani · ‎01-01-2011

Hi,

Looks like there is a phase 2 mismatch.

From the crypto configuration i see that you have pfs enabled on ASA but not on router. Please remove the following command:

crypto map outside_map 1 set pfs group1

Regards,

Anisha.