cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2543
Views
0
Helpful
8
Replies
web_oracle3
Beginner

VPN Tunnel keeps dropping between PIX 501 and ASA 5510

Hi all!

I am having problems establishing the VPN Tunnel between my PIX 501 and ASA 5510 device. The VPN tunnel does gets established but breaks off after a few minutes. Is there any issue with differences in os between the two, PIX running 6.3(5) and ASA running 7.2(4)?

8 REPLIES 8
Jennifer Halim
Cisco Employee

Shouldn't be any issue between PIX and ASA firewall.

What error messages are you getting?

Can you please check if the lifetime is configured to be the same for both phase 1 and phase 2 policy? and also keepalive is enabled?

Can you please share the output of "debug cry isa" and "debug cry ipsec" from both PIX and ASA just prior to the VPN tunnel dropping?

The error msg is :

Jan 24 10:46:17 [IKEv1 DEBUG]: IP = 60.241.82.144, IKE MM Initiator FSM error history (struct &0x49b9558)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jan 24 10:46:17 [IKEv1 DEBUG]: IP = 60.241.82.144, IKE SA MM:23cd5269 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Jan 24 10:46:17 [IKEv1 DEBUG]: IP = 60.241.82.144, sending delete/delete with reason message
Jan 24 10:46:17 [IKEv1]: IP = 60.241.82.144, Removing peer from peer table failed, no match!
Jan 24 10:46:17 [IKEv1]: IP = 60.241.82.144, Error: Unable to remove PeerTblEntry

The lifetime of Phase 1 in both sides is 86400,and the one of phase 2 is default. We tried to set keep alive in both sides but did not work.The weird part was when vpn down and we made ASA to initiate session. the type of  isakmp sa changed to user not L2L,and stoped at MM_MSG2. After rebooting PIX,VPN is able to work well.However VPN is down frequently .



I would appreciate it  if you could find what happen.

If it's stuck on MM_WAIT_MSG2, that means it is not receiving any reply. Phase 1 consists of 6 message exchanges, and currently message 1, and it's waiting for the reply/confirmation that MSG2 has been received by the peer, however, there is no reply.

What is the status on the peer when this side is on MM_WAIT_MSG2?

Is there any ACL in front of the PIX or ASA that might be blocking UDP/500 in one direction, or it's a stateful firewall hence only allowing UDP/500 after it has been initiated from the other direction?

Pls kindly share the config from both PIX and ASA to confirm.

Thank you for your advice. We did some testing to check what happened after vpn down and found sometimes vpn was able to come back ,however most of the time it was stuck on MM_Waiting_MSG2 before ASA stopped connection . Sysopt connection permit-vpn is on the both sides and NAT-T is uesed.

Both sides can act as initiator and responder that 's why we dont think it is caused by stafefull firewall.

Some part of setting related to VPN are posted as follows. We 'd appreciate it if you can give further advice.

PIX:

access-list nonat permit ip 10.1.28.0 255.255.255.224 10.1.22.0 255.255.254.0

access-list nonat permit ip 10.1.28.0 255.255.255.224 192.168.1.0 255.255.255.0

access-list vpn_scouts permit ip 10.1.28.0 255.255.255.224 10.1.22.0 255.255.254.0

access-list vpn_scouts permit ip 10.1.28.0 255.255.255.224 192.168.1.0 255.255.255.0

ip address outside 192.168.188.253 255.255.255.0
ip address inside 10.1.28.30 255.255.255.22

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.28.0 255.255.255.224 0

sysopt connection permit-ipsec
crypto ipsec transform-set TSET_VPNCLIENT esp-3des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address vpn_scouts
crypto map newmap 10 set peer 203.47.192.200
crypto map newmap 10 set transform-set TSET_VPNCLIENT

isakmp enable outside
isakmp key ***** address 203.47.192.200 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 60
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 8640

ASA:

interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 203.47.192.200 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif dmz
security-level 25
ip address 192.168.1.253 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.22.253 255.255.255.0


access-list nonat extended permit ip 10.1.22.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 10.1.22.0 255.255.255.0 10.1.28.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.1.28.0 255.255.255.0

access-list vpn_stephen extended permit ip 10.1.22.0 255.255.254.0 10.1.28.0 255.255.255.224
access-list vpn_stephen extended permit ip 192.168.1.0 255.255.255.0 10.1.28.0 255.255.255.224

global (outside) 1 203.47.192.199 netmask 255.255.255.224
nat (dmz) 0 access-list nonat
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.0.0.0

sysopt noproxyarp inside
crypto ipsec transform-set TSET_VPNCLIENT esp-3des esp-md5-hmac
crypto dynamic-map dyna 1 set transform-set TSET_VPNCLIENT

crypto map vpnclient 20 match address vpn_stephen
crypto map vpnclient 20 set peer 60.241.82.144
crypto map vpnclient 20 set transform-set TSET_VPNCLIENT

crypto map vpnclient 6550 ipsec-isakmp dynamic dyna

crypto map vpnclient interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal  60

tunnel-group 60.241.82.144 type ipsec-l2l
tunnel-group 60.241.82.144 ipsec-attributes
pre-shared-key *********
peer-id-validate nocheck

Hi,

Looking at the ocnfig, the PIX's outside IP address is private (192.168.188.253) while the peer IP on the ASA is public (60.241.82.144). So there has to be a NATing device in between (outside the PIX).

What deivce is doing the NATing? Is it a 1:1 mapping? If not, only the PIX will be able to initiate the VPN connection. If it is a 1:1 mapping, ensure UDP 500 and 4500 is allowed inbound through it.

Cheers,

Prapanch

P.S:  In the config of the PIX, i do not see the crypto map applied to the outside interface. I am guessing it's something that you missed out.

Yes there is a NAT device outside PIX .Actually it is a ADSL modem with router.

We don't think it causes the problem ,as ASA is able to  act as initiator during our testing.

At present , we add a command to keep alive in the PIX  .  Then problem seems to be solved , PIX not dropping vpn for a week . We will do more testing to verify . Thank you .

PS

"isakmp enable outside" is in the config file.

One more question not related to this issue I'd like to ask, "sysopt connection permit-vpn" will make ASA accept vpn  as trust traffic regardless ACLs on the outside interface . However  should I add ACL on inside or DMZ interface to allow inside traffic to flow into VPN subnet?

Hi,

the "sysopt" command is effective only for ACLs applied on the interface where a VPN tunnel terminates.

You do not need specific ACLs on the inside and DMZ interfaces to allow VPN traffic unless there is already one in place in which case you will need to ad lines to allow VPN traffic.

HTH.

Cheers,

Prapanch

After add keepalive in PIX , VPN turns to be stable . Even if VPN connection is down ,PIX is able to initiate connection . However ASA can not initiate connection. It is always stuck in MSG2.

Content for Community-Ad