10-25-2012 08:05 AM
Hi
I have a dynamic VPN site to site between a Firewall ASA 5510 with ASA version 8.2(1) (firewall ASA have a Static IP 201.111.14.114) and a C870 ISR (the ISR have a dynamic IP). The tunnel and the conectivity in both sides is successfull, however each time that occurs a interface restart because the Internet link is unstable in ISR side the VPN tunnel does not going to UP STATE again
These are the ISR logs listed when VPN going to DOWN
*Mar 10 13:58:45.157: %LINK-3-UPDOWN: Interface ATM0, changed state to down
*Mar 10 13:58:46.157: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down
*Mar 10 13:59:24.386: %LINK-3-UPDOWN: Interface ATM0, changed state to up
*Mar 10 13:59:25.386: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to up
Usually I need to apply the "clear crypto session remote 201.111.14.114" in the C870 ISR for restart Tunnel and then it going to UP STATE.
CMM_Amealco#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
202.223.111.26 189.163.214.25 QM_IDLE 2460 ACTIVE
202.223.111.33 189.163.214.25 QM_IDLE 2461 ACTIVE
201.111.14.114 189.163.214.25 QM_IDLE 2464 ACTIVE
201.111.14.114 189.163.214.25 MM_NO_STATE 2463 ACTIVE (deleted)
Any suggestions or comments about this???
Current configurations
ISR Configuration
----------------------------------------------------------------------------------------
Current configuration : 7533 bytes
!
Line codes omitted
!
hostname ISR_HOSTNAME
!
boot-start-marker
boot-end-marker
!
logging buffered 10000
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3037585440
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3117585440
revocation-check none
rsakeypair TP-self-signed-3037585440
!
!
crypto pki certificate chain TP-self-signed-3117585440
certificate self-signed 01
30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303337 35383534 3430301E 170D3032 30333031 30313235
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F556D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30333735
38353434 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009870 FA026AF3 9C723862 2430EC31 618E0512 7E15978E B9E03E75 CFCD0FFB
4918D119 1662E698 04435BD7 AF7A6178 31083F1E BBE4C187 1C8DC72D E3567009
C7C361C7 F96AEC6B DE750197 7DD3057C 85AEBCA6 08A60936 BB5E8B08 502CCA33
7448C749 5A2BB49A 9920AD7B 77AB9427 4637332B C32864A6 6D1A015C 4115D4BB
B2BD0203 020001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
551D1104 20301E82 1C434D4D 5F416D65 616C636F 2E6B616C 74657861 70702E63
6F6D2E6D 78301F06 03551D23 04183016 8014CF9B 6638629B 9665281D A2DC4DE8
8E2ED333 99A8301D 0603551D 0E041604 14CF9B66 38629B96 65281DA2 DC4DE88E
2ED33399 A8300D06 092A8648 86F70D01 01040500 03818100 52B988C5 96363119
FF515FC3 12C4FE88 BC607FF3 92F81AED 4F6EB77B 903E431A 7695C845 A8A0D5E2
53EB9ED2 D49443F3 A7D3F2D5 AC83E8A9 D8AA9173 80D7BC0D 7CE3A167 235C2946
0B1E3D61 88468922 68D9042B 12F36D50 267A8A6D 631E48CC 5BDBBDF2 98F3538D
CCC4B566 BC9DC02E FE64A5DF 7CED4A6A B312CBC9 50B67A17
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip name-server 128.1.1.185
ip name-server 128.1.70.183
ip name-server 128.1.70.182
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username MY_USERNAME privilege XX password X MY_PASSWORD
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key MY_PRESHARED address 201.111.14.114
crypto isakmp key MY_ISAKMP_PRESHARED address 0.0.0.0 0.0.0.0
!
crypto isakmp peer address 201.111.14.114
set aggressive-mode password MY_PRESHARED
set aggressive-mode client-endpoint fqdn ISR_NAME
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set fasedos esp-3des esp-sha-hmac
!
crypto ipsec profile OTHER_PROFILE
set security-association lifetime seconds 120
set transform-set strong
!
!
crypto map crypto_INTEREST 10 ipsec-isakmp
set peer 201.111.14.114
set security-association lifetime seconds 600
set transform-set fasedos
match address traficopermitido
!
archive
log config
hidekeys
!
!
!
track 102 ip sla 102 reachability
default-state up
!
!
!
interface Tunnel0
bandwidth 1000000
ip address 192.168.1.7 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication AUTHENTICATION
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 xxx.xxx.xxx
ip nhrp map multicast xxx.xxx.xxx.xx
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile OTHER_PROFILE shared
!
interface Tunnel2
bandwidth 1000000
ip address 10.10.20.7 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication AUTHENTICATION
ip nhrp map multicast dynamic
ip nhrp map 10.10.20.1 201.122.116.26
ip nhrp map multicast 201.122.116.26
ip nhrp network-id 2
ip nhrp nhs 10.10.20.1
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile OTHER_PROFILE shared
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
pvc 8/81
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $EH-W-LAUN$
ip address 128.1.70.204 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1490
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1440
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname ISR_HOSTNAME
ppp chap password 0 2782350
ppp pap sent-username MY_USERNAME password X MY_PASSWORD
crypto map crypto_INTEREST
!
router eigrp 100
redistribute static metric 1 1 255 1 1500 route-map static_CMM
offset-list 10 in 40000 Tunnel0
network 10.10.20.0 0.0.0.255
network 128.1.70.0 0.0.0.255
network 192.168.1.0
no auto-summary
eigrp stub connected static
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 128.1.71.0 255.255.255.0 128.1.70.210
ip route 128.1.72.0 255.255.255.0 128.1.70.210
ip route 128.1.73.0 255.255.255.0 128.1.70.210
ip route 128.1.74.0 255.255.255.0 128.1.70.210
ip route 128.1.75.0 255.255.255.0 128.1.70.210
ip route 128.1.76.0 255.255.255.0 128.1.70.210
ip route 128.1.77.0 255.255.255.0 128.1.70.210
ip route 128.1.78.0 255.255.255.0 128.1.70.210
ip route 128.1.79.0 255.255.255.0 128.1.70.210
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 180 interface Dialer1 overload
!
ip access-list extended traficopermitido
permit ip 128.1.70.0 0.0.0.255 172.23.191.0 0.0.0.127
!
ip sla 1
icmp-echo 192.168.1.1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 10.10.20.1
ip sla schedule 2 life forever start-time now
ip sla 22
icmp-echo 172.23.191.18 source-interface Vlan1
frequency 5
ip sla schedule 22 life forever start-time now
ip sla 102
icmp-echo 172.23.191.1 source-interface Vlan1
frequency 5
ip sla schedule 102 life forever start-time now
access-list 10 permit 128.1.1.0 0.0.0.255
access-list 10 permit 128.1.80.0 0.0.0.255
access-list 10 permit 128.1.160.0 0.0.0.255
access-list 10 permit 128.1.100.0 0.0.0.255
access-list 30 permit 128.1.71.0 0.0.0.255
access-list 30 permit 128.1.72.0 0.0.0.255
access-list 30 permit 128.1.73.0 0.0.0.255
access-list 30 permit 128.1.74.0 0.0.0.255
access-list 30 permit 128.1.75.0 0.0.0.255
access-list 30 permit 128.1.76.0 0.0.0.255
access-list 30 permit 128.1.77.0 0.0.0.255
access-list 30 permit 128.1.78.0 0.0.0.255
access-list 30 permit 128.1.79.0 0.0.0.255
access-list 180 deny ip 128.1.70.0 0.0.0.255 172.23.191.0 0.0.0.127
access-list 180 permit ip host 128.1.70.182 any
access-list 180 permit ip host 128.1.70.183 any
access-list 180 permit ip 128.1.0.0 0.0.255.255 host 173.194.64.121
access-list 180 permit ip 128.1.0.0 0.0.255.255 host 187.174.155.118
access-list 180 permit ip 128.1.0.0 0.0.255.255 host 200.33.74.112
access-list 180 permit ip 128.1.0.0 0.0.255.255 host 200.57.145.3
access-list 180 permit ip 128.1.0.0 0.0.255.255 host 200.57.145.5
access-list 180 permit ip 128.1.0.0 0.0.255.255 host 200.57.145.6
!
!
!
!
route-map static_CMM permit 10
match ip address 30
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
----------------------------------------------------------------------------------------
FIREWALL ASA CONFIGURATION
----------------------------------------------------------------------------------------
ASA Version 8.2(1)
!
hostname FIREWALL_HOSTNAME
<OMITTED OUTPUT>
!
interface Ethernet0/0
description CSR_LAN
nameif inside
security-level 100
ip address 172.23.191.23 255.255.255.128
rip send version 2
rip receive version 2
rip authentication key <removed> key_id 1
!
interface Ethernet0/1
description Publica
nameif outside
security-level 0
ip address 201.111.14.114 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
access-list inside_access_in remark CSR
access-list inside_access_in extended permit ip 172.23.191.0 255.255.255.128 any log
access-list inside_nat_outbound remark NAT Salida Internet
access-list inside_nat_outbound extended permit ip 172.23.191.0 255.255.255.128 any
access-list outside_cryptomap_7 extended permit ip 172.23.191.0 255.255.255.128 128.1.70.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 10000
logging buffered warnings
logging trap debugging
logging asdm informational
logging host inside 172.23.191.60
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool PoolClient 172.23.191.104-172.23.191.110 mask 255.255.255.248
ip local pool Pool 11.1.1.0-11.1.1.15 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
router rip
version 2
distribute-list ripACL_FR in interface inside
!
route outside 0.0.0.0 0.0.0.0 201.161.14.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.23.191.0 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map ISR_NAME 9 match address outside_cryptomap_7
crypto dynamic-map ISR_NAME 9 set transform-set ESP-3DES-SHA
crypto dynamic-map ISR_NAME 9 set security-association lifetime seconds 600
crypto dynamic-map ISR_NAME 9 set nat-t-disable
crypto map outside_map 9 ipsec-isakmp dynamic ISR_NAME
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.23.191.0 255.255.255.128 inside
telnet timeout 60
ssh 172.23.191.0 255.255.255.128 inside
ssh 17.10.40.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
group-policy VPNClient internal
group-policy VPNClient attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec
username rsanchez password kbnVEipl5rnzyLVv encrypted privilege 1
username sramirez password DC6w10mjYnmTr2/W encrypted privilege 1
vpn-group-policy VPNClient
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group VPNClient type remote-access
tunnel-group VPNClient general-attributes
address-pool Pool
default-group-policy VPNClient
tunnel-group VPNClient ipsec-attributes
pre-shared-key *
tunnel-group ISR_HOSTNAME type ipsec-l2l
tunnel-group ISR_HOSTNAME ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
prompt hostname context
Cryptochecksum:5397fa4a0e8e04288a53dbc19cd7f08e
: end
----------------------------------------------------------------------------------------
10-25-2012 11:32 AM
Hello Adrian,
Don't know if this is the cause of your issue, but I was thinking about scenario in which after your ISP interface is doing DOWN and UP your IP address is being changed.
IOS itself is not deleting isakmp SA because the interface on which you have crypto map attached is down, so the SA will be still up on IOS. On ASA itself since you have default configuration you have DPD (dead peer detection) turned on probably after 10 seconds crypto sa will go down since no DPD reply received.
IOS will continue to send encrypted traffic towards ASA, but for ASA tunnel is dead and it will ignore these packets (there should be something in logs), but router will never know it since it has DPDs turned off.
It could also happen if you are getting the same IP address from you ISP, but Internet outages are longer than 30seconds.
Solution would be to turn on DPDs on IOS:
crypto isakmp keepalives TIME_IN_SECONDS periodic
Defailts about DPDs:
https://supportforums.cisco.com/docs/DOC-8554
Regards,
12-27-2012 12:41 PM
Hi
Thank you Piotr. The next configurations lines solve the conectivity and stability problem:
1. Enable DPD:
crypto isakmp keepalives TIME_IN_SECONDS periodic
2. Create a IP SLA in ISR side
ip sla NUMBER_IP_SLA
icmp-echo DESTINATION_IP_FROM_ASA_LAN source IP_FROM_ISR_LAN
frequency TIME_IN_SECONDS
ip sla schedule NUMBER_IP_SLA start time now life forever
For te unestable Internet link, a small security life time helped to improve tunel stability.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide