cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2553
Views
25
Helpful
13
Replies

VPN TUNNEL GOES DOWN

amralrazzaz
Level 5
Level 5

hi all  

my network:  ISP --- ASA5516---ISR 2911 router --- 2960 switch ---2960 switch

Cisco Fire Linux OS v6.6.1 (build 14)
Cisco ASA5516-X Threat Defense v6.6.1 (build 91)

interface GigabitEthernet1/1
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 154.2x6.1x9.1xx 2x5.2xx.25x.xx
!
interface GigabitEthernet1/2
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.2xx.1x.208 255.255.2xx.0

nat (inside,outside) source static |s2sAclSrcNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 |s2sAclSrcNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 destination static |s2sAclDestNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 |s2sAclDestNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 no-proxy-arp route-lookup
nat (inside,outside) source static NET-EGCAI01 NET-EGCAI01 destination static NET-10.0.0.0 NET-10.0.0.0
nat (inside,outside) source static NET-EGCAI01 NET-EGCAI01 destination static NET-172.16.0.0 NET-172.16.0.0
nat (inside,outside) source static NET-EGCAI01 NET-EGCAI01 destination static NET-192.168.0.0 NET-192.168.0.0
nat (any,outside) source dynamic any-ipv4 PUBLIC_IP

access-group NGFW_ONBOX_ACL global
route outside 0.0.0.0 0.0.0.0 15X.2XX.18X.1XX 1
route inside 10.2XX.0.0 25X.25X.2XX.0 10.2XX.1X.X0X 1

crypto ipsec ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map s2sCryptoMap 1 match address |s2sAcl|56ec6bec-5588-11eb-9fd4-17738a579189
crypto map s2sCryptoMap 1 set pfs
crypto map s2sCryptoMap 1 set peer 1XX.2XX.1XX.1XX
crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal AES256-SHA256
crypto map s2sCryptoMap 1 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 1 set security-association lifetime kilobytes 4608000
crypto map s2sCryptoMap interface outside
crypto ca trustpool policy
crypto ikev2 policy 3
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 policy 100
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800

vpn-tunnel-protocol ssl-client
webvpn
anyconnect ssl dtls none
group-policy |s2sGP|1XX.2XX.1XX.1XX internal
group-policy |s2sGP|1XX.2XX.1XX.1XX attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 1XX.2XX.1XX.1XX type ipsec-l2l
tunnel-group 1XX.2XX.1XX.1XX general-attributes
default-group-policy |s2sGP|1XX.2XX.1XX.1XX
tunnel-group 1XX.2XX.1XX.1XX ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

 

 

 

i have ASA5516-FTD-K9 and im using site to site vpn ikev2 (ipsec) , the tunnel always going down after several days untili change an option then it back up again then after some days it back down again so i have to back this option to its 1st status so tunnel goes up again and so on 

 

- im using 2 public ip one for vpn tunnel and other for nat (internet for users)

- im using nat exempt but im not sure if this is correct or not ?

 

i dunt know if i keep using nat exemption or should remove ?  and why tunnel goes down until i change nat exempt to back up and then after some days it goes down so i have to back this option to same status again and so on ...  please check attached pic

 

THE 2ND QUESTION : 

 

AFTER BUILDING UP THIS TUNNEL I HAVE ONLY CONNECTIVITY TO DESTINATION NETWORK 10.0.0.0 ONLY BUT I DONT HAVE TO 172.16.0.0 AND 192.168.0.0 ??

Note: i had this configuration before on router and it working great without any issue but once i transfer the vpn setup from router to ASA i faced these kind of issues?

from below output i can see only 10.0.0.0 network but no 172 nw and 192 nw ??

> show crypto ikev2 sa

IKEv2 SAs:

Session-id:---, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
2526799051 1xx.2xx.1xx.1xx/500 1xx.2xx.1xx.1xx/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/26492 sec
Child sa: local selector 10.2xx.0.0/0 - 10.2xx.15.255/65535
remote selector 10.0.0.0/0 - 10.255.255.255/65535
ESP spi in/out: 0x99c838/0x567afb19

amr alrazzaz
13 Replies 13

Hi @amralrazzaz 

You'd need NAT exemption, otherwise VPN traffic would be unintentially natted by your dynamic nat rule and the VPN would probably not work at all.

 

A policy-based VPN (which you are using) would be be established if interesting traffic was sent over the tunnel. If nothing was sent, the tunnel will drop once the lifetime timers expire.

 

Also, sometimes you could have problems if the 2 firewalls lifetime timers are not configured the same, I'd double check the configuration of both ends and confirm they are identical.

 

HTH

it was configured before on router it was working perfect with no issue but once i transfer the config to ASA i face these kind of issues and i have another issue not only tunnel goes down every several days ??

 

also i have only connectivity to 10.0.0.0 network but 172 network and 192 network i dont ??? 

 

on router the configuration was too long but all was working great with no downtime and have connectivity to all destination networks !! but on asa i face there 2 issues!!!

 

> show crypto ikev2 sa

IKEv2 SAs:

Session-id:---, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
2526799051 1xx.2xx.1xx.1xx/500 1xx.2xx.1xx.1xx/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/26492 sec
Child sa: local selector 10.2xx.0.0/0 - 10.2xx.15.255/65535
remote selector 10.0.0.0/0 - 10.255.255.255/65535
ESP spi in/out: 0x99c838/0x567afb19

amr alrazzaz

@amralrazzaz 

Did you use the same configuration - crypto, timers etc? If not and the timers are mis-matched then you might have issues. Can you provide the ipsec configuration of the other device?


Regardless if no interesting traffic is sent then as mentioned the VPN would drop once the timers expire. Is the VPN in constant use?

 

You can only see IKEv2 SA for the 10.0.0.0/8 network and not the other 172.x.x.x or 192.168.x.x because interesting traffic would need to be generated in order for the VPN to be established. A policy-based VPN won't always be active unless you generate some traffic. You could have the tunnel always up by using an EEM script to ping something on the other end of the tunnel.

here you ae the previous router configurations i get using before transfer the vpn setup to asa :

 

crypto ikev2 proposal PROP-NLAMS02E
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy POL-NLAMS02E
proposal PROP-NLAMS02E
!
crypto ikev2 keyring KR-1
peer NLAMS02E
address 1xx.2xx.1xx.1xx
pre-shared-key local xxxxxxx
pre-shared-key remote xxxxx
!
!
!
crypto ikev2 profile NLAMS02E-PROFILE
match address local interface GigabitEthernet0/1.224
match address local 1xx.2xx.1xx.1xx
match identity remote address 1xx.2xx.1xx.xx 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KR-1

crypto ipsec transform-set NLAMS02E-TS esp-aes 256 esp-sha256-hmac
mode tunnel

crypto map CMAP-NLAMS02E 10 ipsec-isakmp
set peer 1xx.2xx.1xx.1xx
set security-association lifetime seconds 28800
set transform-set NLAMS02E-TS
set pfs group5
set ikev2-profile NLAMS02E-PROFILE
match address VPN_ACL
!
interface GigabitEthernet0/1.224
description connected to PRIMARY_ISP_ETISALAT
encapsulation dot1Q 224
ip address xx.xx.1x.xx 255.2xx.255.2xx secondary
ip address xx.2xx.xx.1x 255.255.255.2xx
crypto map CMAP-NLAMS02E

 

ip access-list extended VPN_ACL
remark VPN from to the EGCAI01-NLAMS02E-Fortigate3951
permit ip 10.2xx.0.0 0.0.xxx.255 10.0.0.0 0.255.255.255
permit ip 10.2xx.0.0 0.0.xxx.255 172.16.0.0 0.15.255.255
permit ip 10.2xx.0.0 0.0.xxx.255 192.168.0.0 0.0.255.255

 

and for the other network which i don't have reachability to it I'm trying to make desktop remote access on a host within 172 network but i cant reach the host !!!!!

amr alrazzaz

Run packet-tracer to 172 network from the cli and provide the output.

 

Turn on ikev2 debugs, generate some traffic to the 172 network, provide the output of the debugs for review.

can you give me please the exact command of packet tracer to paste there and give u the out put ...

 

i need to test telnet on one host ??? how to type via packet-tracer command ?

 

i also sent u private msg for both vpn setup on router and asa ?

amr alrazzaz

@amralrazzaz 

Run the command twice and provide the output from the second.

 

packet-tracer input inside tcp 10.2x.x.xx.40 54444 172.x.x.x http

 You'll obviously have to change the source and destination IP addresses.

 

Provide the output of the IKEv2 debugs aswell

> packet-tracer input inside tcp 10.246.2.3 54444 172.30.105.30 http

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 1x4.2xx.1xx.1xx using egress ifc outside(vrfid:0)

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static |s2sAclSrcNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 |s2sAclSrcNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 destination static |s2sAclDestNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 |s2sAclDestNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside(vrfid:0)
Untranslate 172.30.105.30/80 to 172.30.105.30/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435471 ifc inside object NET-EGCAI01 ifc outside object-group |acDestNwg-268435471 rule-id 268435471
access-list NGFW_ONBOX_ACL remark rule-id 268435471: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435471: L5 RULE: Crypto-ACL-VPN
object-group service |acSvcg-268435471
service-object ip
object-group network |acDestNwg-268435471
network-object object NET-10.0.0.0
network-object object NET-172.16.0.0
network-object object NET-192.168.0.0
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static |s2sAclSrcNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 |s2sAclSrcNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 destination static |s2sAclDestNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 |s2sAclDestNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 no-proxy-arp route-lookup
Additional Information:
Static translate 10.246.2.3/54444 to 10.246.2.3/54444

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055f0e79b93b6 flow (need-ike)/snp_sp_action_cb:1575


for debug what shall i choose? from below ?

> debug crypto ikev2
ha debug the ikev2 ha
platform debug the ikev2 platform
protocol debug the ikev2 protocol
timers debug the ikev2 timers

> debug crypto ikev2

amr alrazzaz

Enable the following debugs and provide the all of the output .

 

debug crypto ikev2 platform 128
debug crypto ikev2 protocol 128

Do you have access to the other side of the VPN tunnel?

no i dont have access to other side !!  but as i told you this vpn setup was placed on router and all are working fine but after transferring the setup to ASA i face this issue ..... 

 

yesterday before something weird happen , when tunnel goes down i lost reachability to 10.0.0.0 network and 172.16.0.0 was reachable and i can connect to destination with this network !!

amr alrazzaz

The debugs will provide a clue.

 

You are saying that you previously had a tunnel to 10.0.0.0 network, but no tunnel to 172.16.0.0 network? Then the tunnel to 10.0.0.0 went down and you could then now access 172.16.0.0 network but not 10.0.0.0? Sounds like potentially one of other of the VPN peers can only establish a maximum of 1 IPSec SA per peer. Check with the 3rd party on their configuration.

maybe my configuration on asa is not accurate same as i did on router or i miss something ? 

 

i shared already both setup to compare and see if i did any mistake on asa or not ? because before at router the vpn working perfect with no issues at all ??!!

 

i have checked other side and they said we didn't make any changes at all ??

 

i believe that the issue from my side but i cant catch !!!

amr alrazzaz

> packet-tracer input inside tcp 10.246.2.3 1024 172.30.105.30 22

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 1x4.2xx.1xx.1xx using egress ifc outside(vrfid:0)

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static |s2sAclSrcNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 |s2sAclSrcNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 destination static |s2sAclDestNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 |s2sAclDestNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside(vrfid:0)
Untranslate 172.30.105.30/22 to 172.30.105.30/22

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435471 ifc inside object NET-EGCAI01 ifc outside object-group |acDestNwg-268435471 rule-id 268435471
access-list NGFW_ONBOX_ACL remark rule-id 268435471: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435471: L5 RULE: Crypto-ACL-VPN
object-group service |acSvcg-268435471
service-object ip
object-group network |acDestNwg-268435471
network-object object NET-10.0.0.0
network-object object NET-172.16.0.0
network-object object NET-192.168.0.0
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static |s2sAclSrcNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 |s2sAclSrcNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 destination static |s2sAclDestNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 |s2sAclDestNwgV4|56ec6bec-5588-11eb-9fd4-17738a579189 no-proxy-arp route-lookup
Additional Information:
Static translate 10.246.2.3/1024 to 10.246.2.3/1024

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055f0e79b93b6 flow (need-ike)/snp_sp_action_cb:1575

>

amr alrazzaz
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: