Solved

L2TP fails after a few days but only for one remote branch office

Posted on 2008-10-08
8
819 Views
Last Modified: 2011-09-20
I spent all last week digging through articles here, Google, Cisco, etc. I found a lot of information - but none that really addresses my problem.

My Cisco ASA 5505 'terminates' - i.e. acts as the L2TP server (via RADIUS to an internal domain controller) for multiple remote acces clients throughout the state. They all use Windows operating systems (usually XP Pro or Vista) and the native Windows L2TP capability.

Everything was running fine for at least two weeks then the problem started. After an average of 2 days, all remote L2TP clients AT ONE SPECIFIC BRANCH OFFICE fail to connect. They receive the classic error "remote computer is not responding". During this time, I can see via ASA logs that the connection attempts reach the ASA and seem to complete hand shake as far as the ASA can tell. But the end result is a failed connection. Also, during this time, ANYONE else outside of that branch office - but just as remote - CAN in fact connect via L2TP.

A reload of the ASA gets everything working again for another couple of days then the problem starts again.

The two things that really bug me about it are (1) a reload of the ASA temporarily corrects the problem; and (2) it only affects one branch office. I have no administrative control over the branch office, and as such cannot manipulate their NetScreen firewall. They are a business-class DSL subscriber, and all outgoing connections to the internet fill appear to be sourced from the same IP - not a proxy like some. Below is the 'scrubbed' config. Many thanks to anyone with advice.

sh run

: Saved

:

ASA Version 8.0(3)

!

hostname myhost

domain-name myhost.local

enable password blablabla encrypted

names

<a bunch of names>

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 1.1.1.1 255.255.255.248

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name myhost.local

same-security-traffic permit intra-interface

object-group network www-servers

 network-object host web035-out

 network-object host web036-out

 network-object host testserver-out

object-group icmp-type icmp-traffic

 icmp-object source-quench

 icmp-object unreachable

 icmp-object time-exceeded

 icmp-object echo-reply

 icmp-object echo

access-list out-to-in extended permit icmp any any object-group icmp-traffic

access-list out-to-in extended permit tcp any object-group www-servers eq 3389

access-list out-to-in extended permit tcp any object-group www-servers eq www

access-list out-to-in extended permit tcp any object-group www-servers eq https

access-list inside-networks extended permit ip 192.168.1.0 255.255.255.0 any

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging buffer-size 10000

logging asdm debugging

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.2.50-192.168.2.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside-networks

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 192.168.2.0 255.255.255.0

static (inside,outside) web035-out web035-in netmask 255.255.255.255

static (inside,outside) web036-out web036-in netmask 255.255.255.255

static (inside,outside) testserver-out testserver-in netmask 255.255.255.255

access-group out-to-in in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server IAS protocol radius

aaa-server IAS host web035-in

 key jupiter

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

http testserver-in 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal 30

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 1.1.1.1 255.255.0.0 outside

ssh timeout 30

ssh version 2

console timeout 0
 

threat-detection basic-threat

threat-detection statistics access-list

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

 default-domain value nrhosting.local

username user1 password blabla1 encrypted privilege 15

username user2 password blabla1 encrypted privilege 15

username user3 password blabla1 encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

 address-pool vpnpool

 authentication-server-group IAS

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

 no authentication chap

 no authentication ms-chap-v1

 authentication ms-chap-v2

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect sqlnet

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:<checksum>

: end

Open in new window

0
Comment
Question by:neilpage99
  • 4
  • 3
8 Comments
 
LVL 2

Expert Comment

by:olivierbreuer
Comment Utility
Hello,

Can you please provide a "sh ver" output from the firewall ?

Witch ASA version are you using ? Is the Asa version is the same than the VPN peer?
Is the licensing is the same as the VPN peer?

Thanks,

Olivier
0
 
LVL 9

Author Comment

by:neilpage99
Comment Utility
Here's my "sh ver"

fw1(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"

fw1 up 1 day 23 hours

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is 001f.ca7c.d878, irq 11
 1: Ext: Ethernet0/0         : address is 001f.ca7c.d870, irq 255
 2: Ext: Ethernet0/1         : address is 001f.ca7c.d871, irq 255
 3: Ext: Ethernet0/2         : address is 001f.ca7c.d872, irq 255
 4: Ext: Ethernet0/3         : address is 001f.ca7c.d873, irq 255
 5: Ext: Ethernet0/4         : address is 001f.ca7c.d874, irq 255
 6: Ext: Ethernet0/5         : address is 001f.ca7c.d875, irq 255
 7: Ext: Ethernet0/6         : address is 001f.ca7c.d876, irq 255
 8: Ext: Ethernet0/7         : address is 001f.ca7c.d877, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled

This platform has a Base license.

Serial Number: blah blah blah
Running Activation Key: <some long key>
Configuration register is 0x1
Configuration has not been modified since last system restart.


This is a remote access style VPN - so no device (peer) on the other end, the clients are using native L2TP from their operating system, which is Win XP Pro and Vista 32-bit.
0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
Have you tried reloading the ASA ? there is a bug in the ASA version you have that causes this to happen. Check out this link you will need to log in. It may or may not apply to your ASA but if you reload both ASA's and it works then . .

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh48962
0
 
LVL 9

Author Comment

by:neilpage99
Comment Utility
I don't have an account or SmartNet with Cisco so I can't log in.

I have read about L2L (Site-to-Site) VPN's needing their ASA's reloaded - but not where it refers to L2TP. Also, as I noted in my first post, this only affects hosts from one specific remote site. As this is a remote access style VPN, many hosts from different parts of the state are roaming and using the L2TP feature. When the problem occurs, it only affects host at one particular remote site.

Yes it is suspicious that rebooting the ASA fixes it temporarily. But it is equally suspicious that it only affects remote users in one particular location. In fact, when that particular location experiences this problem, other remote hosts are still able to connect without a problem.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Expert Comment

by:leonjs
Comment Utility
*First i would update to the latest version of ASA 8.0(4) [publicly available, there are newer releases but tac has to offer it]  in the release notes there are a few patches/updates in the Remote Access area among other things.
*When i first experienced this issue I like you realized that somethings worked and some things didnt for remote access. Very odd and to make things most complicated my configurations were spot on. After speaking with TAC they said there isnt anything they can do but have a Senior Engineer have a look at the configurations and suggest a work around.  That equals there is no solution. . .
*Since after rebooting the ASA's traffic works the way you want it to the configuration is correct (remember the asa either permits traffic or denies it theres no in between)
Here is the the output from the bug posting on Ciscos website
I should also mention they claim its been fixed but it really hasnt been. . .


****************************************************************************************************************************
Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI  
Symptom:

- Remote Access clients can successfully connect but not access resources on the internal network
- Packets destined for the remote side of an L2L tunnel are not being encrypted
- Traffic is not encrypted with correct SPI

Conditions:

- "show crypto ipsec sa" shows decrypts, but no encrypts
- "show asp table classify crypto" show multiple entries for traffic
- vpn-context from "show asp table vpn-context det" that matches asp table entry with hitcounts increasing has a SPI that isn't valid (it isn't found in "show crypto ipsec sa")
- vpn-context with valid SPI isn't used
- Packet capture on outside interface shows encrypted packets going to remote peer

Workaround:

- Reload the PIX/ASA
- Fixed by change for CSCsh66576. Refer to that bug number for availability.  
0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
CSCsh66576
0
 
LVL 3

Accepted Solution

by:
leonjs earned 500 total points
Comment Utility
Problem: With roughly 1500 L2TP/IPSec sessions established, you may see cases when isolated clients can no longer connect to the ASA. The error on the client states:' 678 unable to connect.'
Workaround: In such cases, you may need to reload the ASA.

Symptom:


Conditions:


Workaround:


Further Problem Description:
0
 
LVL 9

Author Closing Comment

by:neilpage99
Comment Utility
leonjs:  while this doesn't exactly explain what I'm experiencing, it gets close and may be related. No one else has really tried, so thank you for the solution. The only thing that bugs me about it is - why are other hosts able to connect without issue while this one and only one remote location has trouble? A reload of the ASA allows that failing remote location to work again for a while - but they are the only ones that experience the failure. Anyway - I'll hunt for ver 8.0(4). Thanks again.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now