Solved: Re: VPN Between Cisco ASA 5510 and PIX 515 - Page 2

Javi Benito · ‎10-27-2010

Hi,

I have VPN between Cisco ASA and Cisco PIX.

I have seen in my syslog server this error which appears once a day more or less:

Received encrypted packet with no matching SA, dropping

I´ve seen this issue in another post but in none of then the solution.

These are my configuration files of the firewalls:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map2 2 match address WAN_cryptomap_1
crypto map WAN_map2 2 set pfs
crypto map WAN_map2 2 set peer 62.80.XX.XX
crypto map WAN_map2 2 set transform-set ESP-DES-MD5
crypto map WAN_map2 2 set security-association lifetime seconds 2700
crypto map WAN_map2 2 set nat-t-disable
crypto map WAN_map2 interface WAN
crypto isakmp enable LAN
crypto isakmp enable WAN
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 5
lifetime 28800
no crypto isakmp nat-traversal
tunnel-group 62.80.XX.XX type ipsec-l2l
tunnel-group 62.80.XX.XX ipsec-attributes
pre-shared-key *

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PIX Version 8.0(4)
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN_map2 3 match address VPN_cryptomap_2
crypto map VPN_map2 3 set pfs
crypto map VPN_map2 3 set peer 194.30.XX.XX
crypto map VPN_map2 3 set transform-set ESP-DES-MD5
crypto map VPN_map2 3 set security-association lifetime seconds 2700
crypto map VPN_map2 3 set security-association lifetime kilobytes 4608000
crypto map VPN_map2 3 set nat-t-disable
crypto map VPN_map2 interface VPN
crypto isakmp enable VPN
crypto isakmp enable inside
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 5
lifetime 28800
no crypto isakmp nat-traversal
crypto isakmp am-disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
tunnel-group 194.30.XX.XX type ipsec-l2l
tunnel-group 194.30.XX.XX ipsec-attributes
pre-shared-key *

If you need more dedailed information ask me.

Thanks in advance for your help.

Javi

Javi Benito · ‎11-15-2010

Hi Prapanch,

The error between Cisco Pix and Cisco ASA has disappeared!!!

I've seen that SA dropping error persists between Cisco PIX and Stonegate Firewall. If I attach the debug logs from Cisco PIX, Could you help me to find the problem?

Thank you very much for all!!

Javi

praprama · ‎11-15-2010

Hi Javi,

Absolutely.

Regards,

Prapanch

Javi Benito · ‎11-16-2010

Hi Prapanch,

Thanks for your great help to solve the issue!!!

I've captured these logs when the error of SA dropping has appeared.

Regards,

Javi

praprama · ‎11-17-2010

Hi Javi,

I went through logs and it looks like Phase 2 rekey is happening when you receive those messages. Try increasing the phase 2 lifetime to something higher (currently is something around 2300 seconds).

Regards,

Prapanch

Javi Benito · ‎11-17-2010

Hi Prapanch,

Phase2 is configured with 45 minutes and 4608000KB.

If you see the logs I've attached, the error (Received encrypted packet with no matching SA, dropping) doesn't appear each 45 minutes.

Do you think if I change the phase2 lifetime and configure higher values, the issue will be resolved ?.

What values are recommended?

Thanks!!

Javi

praprama · ‎11-18-2010

Hi Javi,

Let's try increasing it and see if it helps. Maybe to 3 hours or so?

Cheers,

Prapanch

Javi Benito · ‎11-18-2010

Hi Prapanch,

I've already increased to 3 hours.

Tomorow I'll post the results.

Thanks again!!

Javi

Javi Benito · ‎11-22-2010

Hello Prapanch,

The issue persists

These are the last logs when the error happened.

Thanks!!!

praprama · ‎11-22-2010

Hi Javi,

How often do u see it now? Any change after changing the lifetime values? These are normal messages that come up during a rekey. These housld not cause any communication issues.

regards,

prapanch

Javi Benito · ‎11-22-2010

Hi Prapanch,

After changing SA lifetime, the number of errors is the same (from 8 to 11 times a day).

Regards,

Javi

praprama · ‎11-23-2010

Looking at the logs, it seems to be coinciding with a rekey which we can confirm only using debugs. If it is not causing any connectivity issues, there is nothing to worry about.

Cheers,

Prapanch

Javi Benito · ‎11-23-2010

Hi,

6 months ago I posted this issue:

https://supportforums.cisco.com/thread/2018053?tstart=0

I don't know if this issue will appear newly with the new configuration (vpn idle timeout none) and maybe it resolve this issue too.

Regards,

Javi

praprama · ‎11-23-2010

Is the other still occuring?

Javi Benito · ‎11-23-2010

I've replaced ASA firewall by Fortinet firewall because it was installed in China and when this issue happened I was sleeping and then they can't connect to HQ and nobody could help them.

Now I've installed this ASA in my network testing lab, doing a VPN with Stonegate. I have monitoring this VPN. In this firewall I changed vpn idle timeout paramater too. Maybe with this change the issue has solved indirectly.

Then, I think it's better I close this post and if the issue persists and if you want, I can send you a message.

Thanks for your priceless help!!!

praprama · ‎11-23-2010

Hi Javi,

Sure. Rather than a message, just open up a thread so that others can take a look at it in case they face similar issues.

Cheers,

Prapanch