07-12-2011 10:20 AM
Hi,
I have been working with my ASA 5505 VPN Concentrator to maintain a connection with one of my remote sites. I have several tunnels that work fine and dont have any issues at all, but one tunnel with outside IP ending in 146 and inside LAN 192.168.3.0 goes down every 24 hours. Attached is the config from the concentrator. I changed around the Security Association Lifetime Settings and the tunnel would drop after that amount of time expired. If I set it to 24 hours, the tunnel would drop every 24 hours. If I set it to 8 hours it would go down every 8 hours.
I have swapped the router a few times, double and triple checked my key settings, disabled keep alives on both ends, and this problem just started happening a few weeks ago after working fine for years. I also get the following e-mail error every time it goes down:
<161>Jul 10 2011 16:19:47: %ASA-1-713900: Group = xxx.xxx.xxx.146, IP = xxx.xxx.xxx.146, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
I am still pretty new to this whole cisco thing, but hopefully there is enough here to be helpful. Let me know if you need more information.
Thanks alot for the help!
07-14-2011 01:33 AM
Hi,
Here is fragment of your config to the VPN you mentioned
crypto map outside_map 1 match address outside_4_cryptomap_1
crypto map outside_map 1 set peer xxx.xxx.xxx.146
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 86400
access-list outside_4_cryptomap_1 extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
tunnel-group xxx.xxx.xxx.146 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
From this point everything looks ok.
I would like to know 2 things:
Are you able to put here config for remote side?
Are you able to tell parameters of IKE, which are chosen (but problem mostly will be in ipsec setting)?
Thank you
Pavel
07-14-2011 11:17 AM
Thanks for the reply,
Gosh as far as I can tell I cant add more attachments. However, below are some screen shots of the remote router. As you can see its a pretty simple Linksys that has worked for the longest time. In my opinion looking at the remote router is a red harring, but anything that will get me closer to a fix I will do.
I am using ADSM 5.2 to look at the concentrator..... so if you can divine what the problem is and point me in the right direction to fix it I would be eternally grateful. Hopefully below if what you are looking for.
07-15-2011 01:31 AM
Hi,
Nice easy setup - with nothing wrong on first look.
In my case I would try following:
- what says log on Linksys?
- try to turn on keepalives on both sides (even linksys is not full cisco, should be working)
- I haven't found any problem related to ASA and Linksys connection, but seeing cfg I would upgrade software in ASA, and maybe in Linksys too.
HTH
Pavel
07-15-2011 02:41 PM
Hi,
Can u try crypto isakmp invalid spi-recovery. (check the syntax plx)..?
07-16-2011 12:38 AM
Hi,
I'm afraid this one command will not work on ASA - haven't found.
Pavel
07-15-2011 09:45 PM
Hi,
So it's failing at the rekey, right now you have PH1 and PH2 lifetimes with the same values which could cause issues at the time of the rekey, however you mentioned that you had the problem too when using the default 28800 (8hrs),
To find out the root cause of the issue here let's first of all use a bigger value for the PH1 lifetime than the one for PH2.
Wait for the rekey to happen and get the following outputs from the ASA:
debug cry isa 150
debug cry ipsec 150
For your troubleshooting session you can use lower values for both lifetimes so you don't have to wait 8 hours to gather the info, just make sure PH1 lifiteme is bigger than PH2.
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: