Unestable VPN conectivity in a C870 vs Firewall ASA 5510 tunnel

aortega3107 · ‎10-25-2012

Hi

I have a dynamic VPN site to site between a Firewall ASA 5510 with ASA version 8.2(1) (firewall ASA have a Static IP 201.111.14.114) and a C870 ISR (the ISR have a dynamic IP). The tunnel and the conectivity in both sides is successfull, however each time that occurs a interface restart because the Internet link is unstable in ISR side the VPN tunnel does not going to UP STATE again

These are the ISR logs listed when VPN going to DOWN

*Mar 10 13:58:45.157: %LINK-3-UPDOWN: Interface ATM0, changed state to down

*Mar 10 13:58:46.157: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down

*Mar 10 13:59:24.386: %LINK-3-UPDOWN: Interface ATM0, changed state to up

*Mar 10 13:59:25.386: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to up

Usually I need to apply the "clear crypto session remote 201.111.14.114" in the C870 ISR for restart Tunnel and then it going to UP STATE.

CMM_Amealco#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

202.223.111.26 189.163.214.25 QM_IDLE 2460 ACTIVE

202.223.111.33 189.163.214.25 QM_IDLE 2461 ACTIVE

201.111.14.114 189.163.214.25 QM_IDLE 2464 ACTIVE

201.111.14.114 189.163.214.25 MM_NO_STATE 2463 ACTIVE (deleted)

Any suggestions or comments about this???

Current configurations

ISR Configuration

----------------------------------------------------------------------------------------

Current configuration : 7533 bytes

!

Line codes omitted

!

hostname ISR_HOSTNAME

!

boot-start-marker

boot-end-marker

!

logging buffered 10000

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-3037585440

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3117585440

revocation-check none

rsakeypair TP-self-signed-3037585440

!

crypto pki certificate chain TP-self-signed-3117585440

certificate self-signed 01

30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33303337 35383534 3430301E 170D3032 30333031 30313235

30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F556D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30333735

38353434 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

81009870 FA026AF3 9C723862 2430EC31 618E0512 7E15978E B9E03E75 CFCD0FFB

4918D119 1662E698 04435BD7 AF7A6178 31083F1E BBE4C187 1C8DC72D E3567009

C7C361C7 F96AEC6B DE750197 7DD3057C 85AEBCA6 08A60936 BB5E8B08 502CCA33

7448C749 5A2BB49A 9920AD7B 77AB9427 4637332B C32864A6 6D1A015C 4115D4BB

B2BD0203 020001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603

551D1104 20301E82 1C434D4D 5F416D65 616C636F 2E6B616C 74657861 70702E63

6F6D2E6D 78301F06 03551D23 04183016 8014CF9B 6638629B 9665281D A2DC4DE8

8E2ED333 99A8301D 0603551D 0E041604 14CF9B66 38629B96 65281DA2 DC4DE88E

2ED33399 A8300D06 092A8648 86F70D01 01040500 03818100 52B988C5 96363119

FF515FC3 12C4FE88 BC607FF3 92F81AED 4F6EB77B 903E431A 7695C845 A8A0D5E2

53EB9ED2 D49443F3 A7D3F2D5 AC83E8A9 D8AA9173 80D7BC0D 7CE3A167 235C2946

0B1E3D61 88468922 68D9042B 12F36D50 267A8A6D 631E48CC 5BDBBDF2 98F3538D

CCC4B566 BC9DC02E FE64A5DF 7CED4A6A B312CBC9 50B67A17

quit

dot11 syslog

ip source-route

!

ip cef

no ip domain lookup

ip name-server 128.1.1.185

ip name-server 128.1.70.183

ip name-server 128.1.70.182

no ipv6 cef

!

multilink bundle-name authenticated

!

username MY_USERNAME privilege XX password X MY_PASSWORD

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key MY_PRESHARED address 201.111.14.114

crypto isakmp key MY_ISAKMP_PRESHARED address 0.0.0.0 0.0.0.0

!

crypto isakmp peer address 201.111.14.114

set aggressive-mode password MY_PRESHARED

set aggressive-mode client-endpoint fqdn ISR_NAME

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

crypto ipsec transform-set fasedos esp-3des esp-sha-hmac

!

crypto ipsec profile OTHER_PROFILE

set security-association lifetime seconds 120

set transform-set strong

!

crypto map crypto_INTEREST 10 ipsec-isakmp

set peer 201.111.14.114

set security-association lifetime seconds 600

set transform-set fasedos

match address traficopermitido

!

archive

log config

hidekeys

!

track 102 ip sla 102 reachability

default-state up

!

interface Tunnel0

bandwidth 1000000

ip address 192.168.1.7 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication AUTHENTICATION

ip nhrp map multicast dynamic

ip nhrp map 192.168.1.1 xxx.xxx.xxx

ip nhrp map multicast xxx.xxx.xxx.xx

ip nhrp network-id 1

ip nhrp nhs 192.168.1.1

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile OTHER_PROFILE shared

!

interface Tunnel2

bandwidth 1000000

ip address 10.10.20.7 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication AUTHENTICATION

ip nhrp map multicast dynamic

ip nhrp map 10.10.20.1 201.122.116.26

ip nhrp map multicast 201.122.116.26

ip nhrp network-id 2

ip nhrp nhs 10.10.20.1

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile OTHER_PROFILE shared

!

interface ATM0

no ip address

load-interval 30

no atm ilmi-keepalive

pvc 8/35

pppoe-client dial-pool-number 1

!

pvc 8/81

pppoe-client dial-pool-number 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $EH-W-LAUN$

ip address 128.1.70.204 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer1

ip address negotiated

ip mtu 1490

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1440

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap chap callin

ppp chap hostname ISR_HOSTNAME

ppp chap password 0 2782350

ppp pap sent-username MY_USERNAME password X MY_PASSWORD

crypto map crypto_INTEREST

!

router eigrp 100

redistribute static metric 1 1 255 1 1500 route-map static_CMM

offset-list 10 in 40000 Tunnel0

network 10.10.20.0 0.0.0.255

network 128.1.70.0 0.0.0.255

network 192.168.1.0

no auto-summary

eigrp stub connected static

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 128.1.71.0 255.255.255.0 128.1.70.210

ip route 128.1.72.0 255.255.255.0 128.1.70.210

ip route 128.1.73.0 255.255.255.0 128.1.70.210

ip route 128.1.74.0 255.255.255.0 128.1.70.210

ip route 128.1.75.0 255.255.255.0 128.1.70.210

ip route 128.1.76.0 255.255.255.0 128.1.70.210

ip route 128.1.77.0 255.255.255.0 128.1.70.210

ip route 128.1.78.0 255.255.255.0 128.1.70.210

ip route 128.1.79.0 255.255.255.0 128.1.70.210

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 180 interface Dialer1 overload

!

ip access-list extended traficopermitido

permit ip 128.1.70.0 0.0.0.255 172.23.191.0 0.0.0.127

!

ip sla 1

icmp-echo 192.168.1.1

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 10.10.20.1

ip sla schedule 2 life forever start-time now

ip sla 22

icmp-echo 172.23.191.18 source-interface Vlan1

frequency 5

ip sla schedule 22 life forever start-time now

ip sla 102

icmp-echo 172.23.191.1 source-interface Vlan1

frequency 5

ip sla schedule 102 life forever start-time now

access-list 10 permit 128.1.1.0 0.0.0.255

access-list 10 permit 128.1.80.0 0.0.0.255

access-list 10 permit 128.1.160.0 0.0.0.255

access-list 10 permit 128.1.100.0 0.0.0.255

access-list 30 permit 128.1.71.0 0.0.0.255

access-list 30 permit 128.1.72.0 0.0.0.255

access-list 30 permit 128.1.73.0 0.0.0.255

access-list 30 permit 128.1.74.0 0.0.0.255

access-list 30 permit 128.1.75.0 0.0.0.255

access-list 30 permit 128.1.76.0 0.0.0.255

access-list 30 permit 128.1.77.0 0.0.0.255

access-list 30 permit 128.1.78.0 0.0.0.255

access-list 30 permit 128.1.79.0 0.0.0.255

access-list 180 deny ip 128.1.70.0 0.0.0.255 172.23.191.0 0.0.0.127

access-list 180 permit ip host 128.1.70.182 any

access-list 180 permit ip host 128.1.70.183 any

access-list 180 permit ip 128.1.0.0 0.0.255.255 host 173.194.64.121

access-list 180 permit ip 128.1.0.0 0.0.255.255 host 187.174.155.118

access-list 180 permit ip 128.1.0.0 0.0.255.255 host 200.33.74.112

access-list 180 permit ip 128.1.0.0 0.0.255.255 host 200.57.145.3

access-list 180 permit ip 128.1.0.0 0.0.255.255 host 200.57.145.5

access-list 180 permit ip 128.1.0.0 0.0.255.255 host 200.57.145.6

!

route-map static_CMM permit 10

match ip address 30

!

control-plane

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

logging synchronous

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

----------------------------------------------------------------------------------------

FIREWALL ASA CONFIGURATION

----------------------------------------------------------------------------------------

ASA Version 8.2(1)

!

hostname FIREWALL_HOSTNAME

!

interface Ethernet0/0

description CSR_LAN

nameif inside

security-level 100

ip address 172.23.191.23 255.255.255.128

rip send version 2

rip receive version 2

rip authentication key <removed> key_id 1

!

interface Ethernet0/1

description Publica

nameif outside

security-level 0

ip address 201.111.14.114 255.255.255.248

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.2

access-list inside_access_in remark CSR

access-list inside_access_in extended permit ip 172.23.191.0 255.255.255.128 any log

access-list inside_nat_outbound remark NAT Salida Internet

access-list inside_nat_outbound extended permit ip 172.23.191.0 255.255.255.128 any

access-list outside_cryptomap_7 extended permit ip 172.23.191.0 255.255.255.128 128.1.70.0 255.255.255.0

pager lines 24

logging enable

logging buffer-size 10000

logging buffered warnings

logging trap debugging

logging asdm informational

logging host inside 172.23.191.60

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool PoolClient 172.23.191.104-172.23.191.110 mask 255.255.255.248

ip local pool Pool 11.1.1.0-11.1.1.15 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_nat_outbound

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

!

router rip

version 2

distribute-list ripACL_FR in interface inside

!

route outside 0.0.0.0 0.0.0.0 201.161.14.209 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.23.191.0 255.255.255.128 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map ISR_NAME 9 match address outside_cryptomap_7

crypto dynamic-map ISR_NAME 9 set transform-set ESP-3DES-SHA

crypto dynamic-map ISR_NAME 9 set security-association lifetime seconds 600

crypto dynamic-map ISR_NAME 9 set nat-t-disable

crypto map outside_map 9 ipsec-isakmp dynamic ISR_NAME

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 172.23.191.0 255.255.255.128 inside

telnet timeout 60

ssh 172.23.191.0 255.255.255.128 inside

ssh 17.10.40.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec svc

group-policy VPNClient internal

group-policy VPNClient attributes

dns-server value 4.2.2.2

vpn-tunnel-protocol IPSec

username rsanchez password kbnVEipl5rnzyLVv encrypted privilege 1

username sramirez password DC6w10mjYnmTr2/W encrypted privilege 1

vpn-group-policy VPNClient

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group VPNClient type remote-access

tunnel-group VPNClient general-attributes

address-pool Pool

default-group-policy VPNClient

tunnel-group VPNClient ipsec-attributes

pre-shared-key *

tunnel-group ISR_HOSTNAME type ipsec-l2l

tunnel-group ISR_HOSTNAME ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

!

prompt hostname context

Cryptochecksum:5397fa4a0e8e04288a53dbc19cd7f08e

: end

----------------------------------------------------------------------------------------

pkupisie · ‎10-25-2012

Hello Adrian,

Don't know if this is the cause of your issue, but I was thinking about scenario in which after your ISP interface is doing DOWN and UP your IP address is being changed.

IOS itself is not deleting isakmp SA because the interface on which you have crypto map attached is down, so the SA will be still up on IOS. On ASA itself since you have default configuration you have DPD (dead peer detection) turned on probably after 10 seconds crypto sa will go down since no DPD reply received.

IOS will continue to send encrypted traffic towards ASA, but for ASA tunnel is dead and it will ignore these packets (there should be something in logs), but router will never know it since it has DPDs turned off.

It could also happen if you are getting the same IP address from you ISP, but Internet outages are longer than 30seconds.

Solution would be to turn on DPDs on IOS:

crypto isakmp keepalives TIME_IN_SECONDS periodic

Defailts about DPDs:

https://supportforums.cisco.com/docs/DOC-8554

Regards,

aortega3107 · ‎12-27-2012

Hi

Thank you Piotr. The next configurations lines solve the conectivity and stability problem:

1. Enable DPD:

crypto isakmp keepalives TIME_IN_SECONDS periodic

2. Create a IP SLA in ISR side

ip sla NUMBER_IP_SLA

icmp-echo DESTINATION_IP_FROM_ASA_LAN source IP_FROM_ISR_LAN

frequency TIME_IN_SECONDS

ip sla schedule NUMBER_IP_SLA start time now life forever

For te unestable Internet link, a small security life time helped to improve tunel stability.