Crypto keeps droppping on PIX to PIX vpn tunnel

Hello again all
I am posting due to problems with our VPN tunnel.  It appears that the VPN tunnel is dropping due to a crypto error.  Users are complaining that while reading email in Outlook, they will get "Server no longer Available".  

I have been watching logs and the crypto status on 2 sites, and if I do a sho cry isa sa, it shows QM_IDLE, but under the column created the number keeps rising.   In one hour, the created column was up to 14count.

Errors I receive in log are as follows:

crypto_isakmp_process_block:src:1.2.3.4, dest:4.3.2.1 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 1693178854, spi size = 4IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

VPN Peer: IPSEC: Peer ip:1.2.3.4/500 Decrementing Ref cnt to:4 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:1.2.3.4/500 Decrementing Ref cnt to:3 Total VPN Peers:1
return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:1.2.3.4, dest:4.3.2.1 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1023884254
ISAMKP (0): received DPD_R_U_THERE from peer 1.2.3.4
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS

Any suggestions on why the crypto would keep bouncing as it appears to be?   Any help would be appreciated.  Thanks
ebigs27Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Freya28Commented:
the line itself could be bouncing.  and i assume the isakmp policies are the same.  .  try resetting the key if using a pre-shared key.  i ahve experienced things like this with my pix to pix tunnels and to resolve the issue i tore down the crypto statements and iskmaps and rebuilt them.,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ebigs27Author Commented:
Freya
Thanks for the reply.  Did remove crypto settings and added back in with no success.  Still bumping crypto.  ISA policies are the same.  
Freya28Commented:
I woudl have the isp check the line.  the pix's are very simple.  i run many of them, static to static static to dynamic and all works well,  besides the rebuilding for the tunnels, i would have the isp check the lines.  i would also keep a constant ping form one site to the other and see when you are dropping connection, as well as keeping a constant ping on and outside source and see when that drops.  
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

ebigs27Author Commented:
Is there a command in the pix that allows me to run a continuous ping from outside to outside?  I can keep one up from within the tunnel, but if that goes down, it is not for sure if the connection between pix's has actually taken a hit.
Freya28Commented:
no  the pix has no extended ping options.  What IOS version are you running by the way
Freya28Commented:
we also need to check your access-lists.   how do they look on each side.  and are you adding the nonat access-list
ebigs27Author Commented:
At the momment, the access-list is wide open.  Allowing anything inside to anything out and allowing trusted networks on the outside to anything inside.  If it was in fact a ACL problem, wouldn't the problem be all or nothing?  If they can work sometimes, then freezes on them, I would think the ACL is not the culprat.  

I am not using the nonat access-list and my version is 6.3(3) and 6.3(4)

Thanks again
Freya28Commented:
yes and no. with the all or nothing.  I have seen strange things :)

On one pix i would have

access-list acl_name permit ip inside_network inside_network_mask ouside_network outside_network_mask

access-list nonat permit ip inside_network inside_network_mask ouside_network outside_network_mask

nat (inside) 0 access-list nonat


and do this on the remote pix as well, if not already done.
ebigs27Author Commented:
Let me understand this better before I proceed.  This will send all traffice through the tunnel?  Currently using split config, so any internet request will go directly out, and anything destined to our network will go through tunnel.
Freya28Commented:
yes. it will.  each site will have its own internet route but LAN based traffic which is defined by the access-lists.
ebigs27Author Commented:
I really appreciate the time you have given so far.  

Currently my nat's look something like this on my host PIX 515.

access-list inside_nat0_outbound extended permit ip NCIS 255.255.0.0 NFFM 255.255.255.0
access-list inside_nat0_outbound extended permit ip NCIS-alt 255.255.0.0 NFFM 255.255.255.0
access-list inside_nat0_outbound extended permit ip NCIS 255.255.0.0 NFVN 255.255.255.0
access-list inside_nat0_outbound extended permit ip NCIS-alt 255.255.0.0 NFVN 255.255.255.0
access-list inside_nat0_outbound extended permit ip NCIS 255.255.0.0 NFLC 255.255.255.0
access-list inside_nat0_outbound extended permit ip NCIS-alt 255.255.0.0 NFLC 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0

Doesn't the Translation excemption rules = the no nat statements?
Freya28Commented:
i think i see some of the problem.

I would name the access list and then duplicate it with the nonat list  all of your above access-list are natting to 0.  which means dont let the traffic in.  

access-list staticvpn permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 nonat

and make sure on your crypto map you match the address to "staticvpn"

crypto map queensmap 5 match address staticvpn  (or what ever crypto # you have)





 
ebigs27Author Commented:
This is One site of 19 on the PIX 515.

access-list inside_nat0_outbound extended permit ip NCIS 255.255.0.0 NFFM 255.255.255.0
access-list inside_nat0_outbound extended permit ip NCIS-alt 255.255.0.0 NFFM 255.255.255.0
access-list outside_cryptomap_30 extended permit ip NCIS 255.255.0.0 NFFM 255.255.255.0
access-list outside_cryptomap_30 extended permit ip NCIS-alt 255.255.0.0 NFFM 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer 1.2.3.4
crypto map outside_map 30 set transform-set ESP-3DES-MD5

Is this what you are saying for me to change?  

access-list staticvpn permit ip NCIS 255.255.0.0 NFFM 255.255.255.0
access-list staticvpn permit ip NCIS-alt 255.255.0.0 NFFM 255.255.255.0
access-list nonat permit ip NCIS 255.255.0.0 NFFM 255.255.255.0
access-list nonat permit ip NCIS-alt 255.255.0.0 NFFM 255.255.255.0
access-list outside_cryptomap_30 extended permit ip NCIS 255.255.0.0 NFFM 255.255.255.0
access-list outside_cryptomap_30 extended permit ip NCIS-alt 255.255.0.0 NFFM 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 0 nonat
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer 1.2.3.4
crypto map outside_map 30 set transform-set ESP-3DES-MD5
Freya28Commented:
your config looks ok.  do you actual ip addresses on these lists or i guess i mean what is NCIS?
ebigs27Author Commented:
Its just a name associated with the IP addresses.
Freya28Commented:
oh so you are defining it with the names command.  i would remove the names command and let the acess-list show the true ip, jsut for troubleshooting.  other wise. like i said earlier,  i would have the isp do an instrusive test on both circutis to see if the circuit is bouncing.  or just have them put a monitor on the circuit.

another thing i would do, is take out the extended list.  I have only seen the extended version of the access-list  with version 7.0 and up.
ebigs27Author Commented:
Sorry, forgot to mention that the HOST pix 515 is 7.0.  The remotes are all 6.3(3) and (4).  

I would jump at the ISP's, but several sites have been having problems.  All different ISP's.  Seems a little fishy.   Out of the 19 sites online, 14 are working with no issues.  All the remote sites have the same base configurations.  

I appreciate the help on this.  I will do more reading on the NAT's and see if what you suggested will work on the problem sites.  

Thanks again and I will check back on here tomorrow.
Freya28Commented:
ah   more info.  that is what i needed to rule that out,.

and none of these networks have overlapping ip schemes?

and i assume on your 7.0 pix your tunnel -groups are set up  for l2l

Also, teh outlook errors could be for many reasons,  the mailbox may be quite large.  are there any other network issues,  meaning that at the time that the outlook errors appear, can you browse the remote networks?
ebigs27Author Commented:
No overlapping ip's.
Yes, tunnels are set lan to lan.
Since these sites are all over the world, not to detailed on the troubleshooting efforts in the field.  I do know that with the split tunneling, internet access never takes a hit.  As for browsing remote networks, will have to check with users, but I do think it is only outlook being a problem, other applications seem ok.  

Freya28Commented:
outlook is very resource intensive and is dependant on a tight steady connection,  and any minor communication disruptance can cause that outlook ballon to op up and say that it lost connection.  I bet browsing the networks is not an issue.
Freya28Commented:
as stated before ,  it could be an issue with the mailbox size.  here is a document that is a fix

http://itt.theintegrity.net/pmwiki.php?n=ITT.OutlookPST
ebigs27Author Commented:
Going to try using offline mode.  Hope this will make the brief interruptions not noticable.  Thanks again for the advice and I will be back on after testing complete.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.