First - I am an experienced IT professional but primarily a "software guy". I have plenty of exposure to network configuration and equipment but I am not a CISCO certified engineer, nor do I play one on TV and I've never slept at a Holiday Inn Express. I am familiar with creating and maintaining VPN tunnels in limited circumstances. That is to say, I understand what I've done in the circumstances where I have been involved in creating and maintaining the tunnel but my knowledge base is limited to only those experiences. This is my first experience with CISCO products.
I have an ASA 5505 vpn appliance. It is installed, configured and working OK. It IS NOT configured using the "Easy VPN" stuff. It is configured with a l2l tunnel (connected to a CISCO 3000 VPN concentrator on the other end). My issue is that it appears to shut the tunnel down in periods when there is no activity across the tunnel. The users on the "other side" of the tunnel cannot re-establish the tunnel once it is down. I re-establihse it by using the ASDM tool to trace packets from our side to thiers.
It appears that the tunnel will stay established as long as there is activity Ispecifically, activity originating from our side of the tunnel) and, as such, I have put a persitant ping in place from to ping from our side to the other side once per minute. The tunnel appears to persist under this condition.
Any ideas? I have attached the ASA 5505's running configuration. However, I have "redacted" the public IP's for security reasons... (if it helps "x.y.z.0" is out public subnet, "t.u.v.0" is our internal prival LAN subnet, "a.b.c" is the universal subnet used on teh tunnel and "j.k.l" is the public subnet on the other side of the tunnel)
: Saved
:
ASA Version 7.2(2)
!
hostname ---------
domain-name -------.com
enable password ------------------ encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address x.y.z..213 255.255.255.0
!
interface Vlan2
nameif inside
security-level 0
ip address t.u.v.254 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd FmZUfYft9vhrGvu2 encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name ecsginc.net
dns server-group ecsginc.com
name-server t.u.v.1
domain-name ecsginc.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_vpn extended permit ip host a.b.c.33 host a.b.c.25
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host x.y.z.213 eq ssh
pager lines 24
logging enable
logging asdm-buffer-size 512
logging buffered debugging
logging asdm debugging
logging facility 23
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 t.u.v.4 255.255.255.255
static (inside,outside) a.b.c.33 t.u.v.4 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.y.z.1 1
route outside a.b.c.25 255.255.255.255 x.y.z.213 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username admin password ------------- encrypted privilege 15
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-HMAC esp-3des esp-md5-hmac
crypto map outside_map0 1 match address outside_vpn
crypto map outside_map0 1 set peer j.k.l.189
crypto map outside_map0 1 set transform-set ESP-3DES-HMAC
crypto map outside_map0 1 set reverse-route
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 43200
crypto isakmp nat-traversal 20
tunnel-group j.k.l.189 type ipsec-l2l
tunnel-group j.k.l.189 ipsec-attributes
pre-shared-key *
no tunnel-group-map enable ou
telnet timeout 1440
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
!
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp error
!
service-policy global_policy global
smtp-server x.y.z.13
prompt hostname context
no compression svc http-comp
Cryptochecksum:4362f4d3bfbfa98870ba242e44cf148c
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
you have nat-traversal enabled, so what I recommend is checking the match acl in cisco 3000 and the route in a.b.c.25 . Match acl defines the traffic to flow through tunnel
following is yours
access-list outside_vpn extended permit ip host a.b.c.33 host a.b.c.25
"our local machine has a static route telling it that all traffic to the 66.66.66.0 subnet should route through the 192.168.0.254 gateway - which is the ASA 5505" and you have route in t.u.v.4
nothing is wrong in your side. Remote admin should check
*The match acl
*Static entry
*Added route in d.e.f.xx
Following is the idle timeout of the tunnel specified in your default group policy. You can set it to a higher value, of course remote site has to do also.
vpn-idle-timeout 30