cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
986
Views
0
Helpful
13
Replies

VPN was down after running for few hours

kevinshkong11
Level 1
Level 1

Hi ALL,

 

I am facing an issue that the VPN is down after running for few hours.

It happens after migrating to new WAN connection.

It will back to normal if revert back to existing WAN connection

I found that it shows different encryption and hash with what I configured.

 

asa(config)# sh run crypto isakmp
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5

 group 2
 lifetime 86400
asa(config)# sh cry
asa(config)# sh crypto is
asa(config)# sh crypto isakmp sa det

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 185.146.223.162
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2
    Encrypt : aes-256         Hash    : SHA
    Auth    : preshared       Lifetime: 0
 

Kindly advise.

 

Thank you

13 Replies 13

kevinshkong11
Level 1
Level 1

Hi ALL,

 

Anybody can help?

 

Thank you.

hi,

the status of your IKEv1 (MM_WAIT_MSG2) means it wasn't successful.

you should see "MM_ACTIVE" for established IPsec VPN peering.

did you configure the new public IP address on the remote VPN peer on its crypto map?

kindly post sanitized config from both VPN peers.

Hi,

I did configured the new public IP in remote VPN peer.

 

Please find attached for config.

Hello,

 

if 218.98.128.178 is the new IP, your local ASA is still pointing at 185.146.223.162.

 

you need to change the configuration of the tunnel on your side.

 

remember to create the tunnel-group and change the peer on the crypto map.

 

let me know if that helps-

 

 

 

Hi,

185.186.223.162 is remote peer IP address.

The attached is branch asa config.

The remote site is HQ which is using SonicWALL.

218.98.128.178 is the current public IP which works fine in VPN.

For new public IP, I only change the interface vlan 2 IP address and default routing.

As for remote site, I will point to new IP.

But I have VPN issue after migrating to new public IP.

Hi,

 

enable crypto on the outside.

 

crypto map outside_map interface outside

 

Hi,

 

Sorry I accidentally deleted in attached file. Actually it is there.

 

Well the configuration on your side looks good, but you are sending the request and the replay is not coming back.

 

is the sonic wall already pointing at 218.98.128.178? make sure it also supports 3des and md5 for phase 1.

 

also your next hub IP is probably not right

route outside 0.0.0.0 0.0.0.0 219.95.126.177 1

 

can you ping 4.2.2.2 from the ASA?

Hi,

It is correct.

Can Ping.

 

route outside 0.0.0.0 0.0.0.0 218.98.128.177 1

ok i guess the config was just not updated.

 

what shows on the command is not the problem.

lets get a capture;

cap cap interface outside match ip host 218.98.128.178 host 185.146.223.162

try to send traffic in order to bind the tunnel and get;

#show cap cap

then also export the capture. https://218.98.128.178/capture/cap/pcap

save it and attach it here.

 

what we are probably going to see is one way traffic. probably peer does not know how to get to 218.98.128.178, or the ISP could be blocking UPD 500.

Hi,

 

It is pointing to new.

But just when I do sh crypto isakmp sa det

Encrypt : aes-256         Hash    : SHA

It shows different encryption.

Is it normal?

 

I reproduced the issue on a lab, that seems to be expected. I will let you know if I find proper documentation for that.

so don't worry about that for now.

 

review attach.