Cisco VPN :: Unstable Connectivity In C870 Vs Firewall ASA 5510 Tunnel
Oct 24, 2012
I have a dynamic VPN site to site between a Firewall ASA 5510 with ASA version 8.2(1) (firewall ASA have a Static IP 201.111.14.114) and a C870 ISR (the ISR have a dynamic IP). The tunnel and the conectivity in both sides is successfull, however each time that occurs a interface restart because the Internet link is unstable in ISR side the VPN tunnel does not going to UP STATE again
These are the ISR logs listed when VPN going to DOWN
*Mar 10 13:58:45.157: %LINK-3-UPDOWN: Interface ATM0, changed state to down
*Mar 10 13:58:46.157: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down
I am currently experiencing an issue with an IPSEC Tunnel between a Cisco892-K9 (c890-universalk9-mz.124-22.YB.bin / Feature: advipservices) and a Checkpoint VSX R67.
After reloading the router the tunnel is stable, but afterwards we loose the connection to the LAN unexpectidly (max. time of the connexion is ~2h30).
In fact after a reload the first ISAKMP SA is well negotiated with conn-id 2001 and after a certain amout of time the connexion is lost always associated with this debug message =>
ISAKMP:(2001):error from epa_ikmp_gen_ipsec (QM_IDLE ) ISAKMP:(2001):Unable to generate IPsec key for 799280698! ISAKMP:(2001):deleting SA reason "Death by retransmission P2" state (I) QM_IDLE (peer 194.X.X.X) and so on ....
We supposed it was related to DPD messages so we deactivated the keepalive (no crypto isakp keepalive). We tried to play also with the ACL matching the crypto map (currently from local subnets to any), but still no luck.
When it is stable the ‘show crypto isakmp sa’ indicates a isakmp sa ‘QM_IDLE / ACTIVE), and when the problem occurs the active ISAKMP SA is deleted and recreated (in ACTIVE state) continuously : conn-id 2001, 2002, 2003, 2004 etc...…but still no access to the LAN.
My main question is to know if someone has already know the signification of the previous ISAKMP debug messages (along with the total debug message + crypto conf from the beginning of the problem) =>May it be a platform support (near 200 ipsec flow in use => most subnet to subnet flow, few subnet to host flows- 200 users on site) , compatiblity, crypto map acl …???
We would like to enable our HelpDesk and Network team the ability to connect to Laptops using our ASA 5510 VPN device using Secure VNC application. Not sure if this is possible or how to enable this option.
I have been tasked to connect a 2800 router to our ASA 5510 firewall. The router will be used as a VPN router. It will terminate two different VPN connections to two different networks. I can setup the 2800 VPN config but what would I need to do to setup the firewall. I am using an extra Ethernet port(it has 4) to directly connect the router. The FW has our outside internet connection, the DMZ, and our inside LAN connection. I do not have a lot of experience with Firewalls and I do not want to create a security breach while trying to set this up!!
Firewall ASA5510. I'm planning to get one of ASA5510 for our office in order to secure our network properly, however we have quite specific routing configuration to allow us failover to the remote location (data center) in case of any disaster with our server. I'd like to find out if I can just install firewall between our ISP Ruter and internet and allow traffic to/from Data Centre. In this situation will I have to change routing configuration on Company Router or do I have to do anything with our Company Router
I don't know if this is in the right section, but I cannot set up a vpn tunnel between an asa 5510 and a cisco rv042 router. I believe the problem is because i need to set up a nat exempt rule on the rv042 route but don't know how.
I have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code. The main site has a T1 and the remote site is using a DSL connection. About every other day I have to reset the connection at the remote site. The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the nat statement. The connection usually comes back up and a few minutes. I am trying to see what is causing this to drop.
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
I have a Cisco ASA 5510 with 3 inside interfaces each connected to a 3750X switch port in a vlan. Outside interface is connected to external router with 209.155.x.x public IP. Static route exists for outbound traffic on outside interface.
3750X is configured for inter-vlan routing. VLANs 10, 20, and 30 have 172.16.x.1 IP address with static routes pointing to the each of the ASA inside interfaces - 172.16.x.254. Connected hosts are configured with gateways pointing to the appropriate vlan interface IP - 172.16.x.1.
Inter-vlan routing appears to be working - I can ping back and forth between hosts on different vlans, and I can ping each vlan IP.I can also ping each ASA inside interface from a host in the appropriate vlan, but I cannot ping internet sites (4.2.2.2 or 8.8.8.8) from hosts on the inside interfaces.
I can ping 4.2.2.2 from the ASA CLI. I can ping internal hosts on vlans 10,20,30 from the ASA CLI. But, no luck with pinging from inside host to internet hosts
I am not a ASA expert but I have configured them few times. I have a vision of a task I have to complete but not sure if it is practical or how to go about doing it.
We two locations, Location A and Location B. Both locations have a 100MB internet conection. Location A has a ASA 5510. Location B has a 5505. Users at both locations access the internet via their respective ASA. Location A is the headquarters and Location B is a disaster recovery site. We want to setup a tunnel between both ASAs. This tunnel will be used to replicate data between the two locations for DR purposes. We need the users to still use the same pipe to get to the internet but want to allocate 10MB for internet use and the remaining 90MB for the DR tunnel.
So I've run into a problem on my ASA5510, post-upgrade I can no longer connect to the inside interface from across our L2L VPN. I've tried both ASDM and SSH and the connections fail. I see in the logs that the attempt is being made, but it will eventually time out. There have been no problems with this type of connection with any previous upgrades, just this particular upgrade, I went from 8.4(1) to 8.4(2). I don't see much in the release notes or anything in a pre/post config diff that jumps out as a cause to this behavior. The only thing I did see in the release notes "CSCtg50770 Mngt-access (ASDM,SSH) to inside intf of 5580 fails over RA VPN session" which sounds like it could be my problem, but that was in the "Fixed in 8.4(2)" section and says it's for a 5580, maybe the fix for the 5580 broke it on a 5510??? I hope not and that I'm simply missing some new setting that I need to enable for this type of connection as this device is in a remote office.
I'm currently implementing Microsoft System Center 2012 Operations Manager, the curent stage of the project is to add the network devices to SCOM via SNMP in order to monitor them, I am able to add them all and monitor; however, my ASA 5510, although SCOM discovers the ASA via SNMP and adds it to the network monitoring list, it loses SNMP connectivy every 30 minutes, and 15 later it reconnect with SCOM, then after another 15 minutes it loses the connection again, and so on and so for.
How would I go about configuring RADIUS based AAA for remote access VPN users? I have an OSX RADIUS server and an ASA 5510
(I want to keep console and SSH using LOCAL, so I keep this: "aaa authentication ssh console LOCAL", right?)What does the rest of the config look like to get RADIUS based AAA for remote access VPN users?
I have a c 870 Router and i would like to put it 2 different VPN SITE TO SITE and a Remote access VPN ( VPN CLIENTS) so is it possible to put the 3 VPN in the same Router if yes, any steps or the example to configure.
I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host. How can I set this up?
I have a L2L IPSEC tunnel between a set of failover pair of two ASA5510's and a single ASA5505. Over time they will loose connectivity through the tunnel. The tunnel itself stays up, but cannot pass any traffic.When looking at the tunnel I always see this on the set of 5510's (marked in bold @ IPSEC ID 3)?
We currently run dual ASA 5510's in A/S config on our main campus. We would like to create a VPN tunnel to a branch campus. Trying to decide between a 5505/5510/5512x, We would like to extend many of the capabilities of our network to the branch campus which will be 20-50 users on a 50mb/10mb internet connection.
Domain login System Center workstation management Cisco WCS Shoretel voip (Cisco NAC?)
Several different VLANs for wireless guest, student traffic, staff traffic, voip traffic, etc. Which device would be best and should we get the security plus license with it?
I have two 5510's that I am trying to get a tunnel established. One has an exsistinig tunnel to a 5505 that works but I cant get the next one to get past the first phase. I have sanitized the attached configs
I had a pix that had two working tunnels going to one 5510 and one 5520. Today the VPN tunnel to our 5520 stopped working but if I do sh cry isa sa both tunnels have QM_IDLE as the state. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the pix side.
I am using a Cisco ASA 5510. Our tunnels always drop due to inactivity, which is a security issue I understand, and it only takes some "interesting traffic" to bring it back up. My problem is that it looks like the interesting traffic has to originate from my side of the tunnel, when our clients send traffic and the tunnel is down due to inactivity it does not come back up. Is there a setting that I am overlooking that will make it come back up no matter who sends traffic? Or, is there a way to make it stay up through inactivity?
I have been struggling to come up with the proper config to do a NAT of an incoming VPN tunnel to a VLAN on my network. I have an ASA 5510 with an IPSEC site-to-site tunnel to a partner network of 166.110.0.0/17.I have several VLANs on the ASA interface behind a cat4500 router (192.168.100.024, 172.16.4.0/24, 166.110.128.0/22 etc). The only network that the partner network sees is the 166.110.128.0/22.My problem is that I need to give them access to a node on my 192.168.100.0/24 net, but can't get the admin on the other side to add a route and adjust his tunnel.
I've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
I'm attempting to debug an ipsec tunnel on an ASA 5510 (8.4(3)) and when I turn on `debug crypto ipsec` and then execute `logging monitor` I get an constant stream of TCP debugging events, is it possible to only view ipsec messages?
I have an ASA 5510 at V8.2(5) with something near 20 site to site VPN tunnels. I am having a problem with 1 tunnel to a RVS4000. The tunnel is completely closed and reset during Phase2. Here is a small snipet at the time of the tunnel reset
x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPsec, Duration: 7h:36m:30s, Bytes xmt: 333755, Bytes rcv: 86281, Reason: User Requested Followed by Group = x.x.x.x, IP = x.x.x.x, Active unit receives a centry expired event for remote peer x.x.x.x.
We use a number of connection oriented sessions and this blowing them out of the water. all other tunnels are up for DAYS to more than a Month.
I got a stange vpn problem, just added a new vpn tunnel to our ASA5510 and then the users report that the traffic through the tunnel is very slow, when I try it myself I get a speed like 50kb/sec to the internal server.If I use our regular tunnel or any other tunnel the speed is just fine. I´ve added the new tunnel in the same way as the other tunnels, that is thorugh ASDM vpn wizzard.
I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
We are using a 5510 and have issues trying to use VPN with full tunnel to connect from inside the firewall to a customer site. I don't seem to have a problem when using split tunnel profiles. How would you troubleshoot this?
I have a 5510 and a 5505 that I'm attempting to configure a simple VPN tunnel over. I have tried step by step configurations form CISCO ASA configs, as well as every source I can find. I have walked throught the config with IOS commands as well as Wizards. All my packets are dropped at the the inside or outside interface.
When I show SH ISAKMP command all I get are 0's straight down.
I am trying to setup a VPN tunnel between a Cisco ASA 5510 (Version 8.2(2)) and Sonicwall TZ200. I got tunnel up and going and I am able to ping the Cisco ASA internal IP from the Sonicwall LAN but nothing else works.
When I try to ping a host behind the Cisco ASA from the Sonicwall LAN I get the following message "Asymmetric NAT rules matched for forward and reverse flows;
