cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1244
Views
0
Helpful
6
Replies

Tunnel Stability Problems

jimmym
Level 1
Level 1

Hi,

I have been working with my ASA 5505 VPN Concentrator to maintain a connection with one of my remote sites.  I have several tunnels that work fine and dont have any issues at all, but one tunnel with outside IP ending in 146 and inside LAN 192.168.3.0 goes down every 24 hours.  Attached is the config from the concentrator.  I changed around the Security Association Lifetime Settings and the tunnel would drop after that amount of time expired.  If I set it to 24 hours, the tunnel would drop every 24 hours.  If I set it to 8 hours it would go down every 8 hours.

I have swapped the router a few times, double and triple checked my key settings, disabled keep alives on both ends, and this problem just started happening a few weeks ago after working fine for years.  I also get the following e-mail error every time it goes down:

<161>Jul 10 2011 16:19:47: %ASA-1-713900: Group = xxx.xxx.xxx.146, IP = xxx.xxx.xxx.146, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

I am still pretty new to this whole cisco thing, but hopefully there is enough here to be helpful.  Let me know if you need more information.

Thanks alot for the help!

6 Replies 6

Pavel Pokorny
Level 1
Level 1

Hi,

Here is fragment of your config to the VPN you mentioned

crypto map outside_map 1 match address outside_4_cryptomap_1

crypto map outside_map 1 set peer xxx.xxx.xxx.146

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set security-association lifetime seconds 86400

access-list outside_4_cryptomap_1 extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0

tunnel-group xxx.xxx.xxx.146 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

From this point everything looks ok.

I would like to know 2 things:

Are you able to put here config for remote side?

Are you able to tell parameters of IKE, which are chosen (but problem mostly will be in ipsec setting)?

Thank you

Pavel

Thanks for the reply,

Gosh as far as I can tell I cant add more attachments.  However, below are some screen shots of the remote router.  As you can see its a pretty simple Linksys that has worked for the longest time.  In my opinion looking at the remote router is a red harring, but anything that will get me closer to a fix I will do.

I am using ADSM 5.2 to look at the concentrator..... so if you can divine what the problem is and point me in the right direction to fix it I would be eternally grateful.  Hopefully below if what you are looking for.

 

Hi,

Nice easy setup - with nothing wrong on first look.

In my case I would try following:

- what says log on Linksys?

- try to turn on keepalives on both sides (even linksys is not full cisco, should be working)

- I haven't found any problem related to ASA and Linksys connection, but seeing cfg I would upgrade software in ASA, and maybe in Linksys too.

HTH

Pavel

Hi,

Can u try crypto isakmp invalid spi-recovery. (check the syntax plx)..?

Hi,

I'm afraid this one command will not work on ASA - haven't found.

Pavel

Gustavo Medina
Cisco Employee
Cisco Employee

Hi,

So it's failing at the rekey, right now you have PH1 and PH2 lifetimes with the same values which could cause issues at the time of the rekey, however you mentioned that you had the problem too when using the default 28800 (8hrs),

To find out the root cause of the issue here let's first of all use a bigger value for the PH1 lifetime than the one for PH2.

Wait for the rekey to happen and get the following outputs from the ASA:

debug cry isa 150

debug cry ipsec 150

For your troubleshooting session you can use lower values for both lifetimes so you don't have to wait 8 hours to gather the info, just make sure PH1 lifiteme is bigger than PH2.

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: