?
Solved

L2TP fails after a few days but only for one remote branch office

Posted on 2008-10-08
8
Medium Priority
?
837 Views
Last Modified: 2011-09-20
I spent all last week digging through articles here, Google, Cisco, etc. I found a lot of information - but none that really addresses my problem.

My Cisco ASA 5505 'terminates' - i.e. acts as the L2TP server (via RADIUS to an internal domain controller) for multiple remote acces clients throughout the state. They all use Windows operating systems (usually XP Pro or Vista) and the native Windows L2TP capability.

Everything was running fine for at least two weeks then the problem started. After an average of 2 days, all remote L2TP clients AT ONE SPECIFIC BRANCH OFFICE fail to connect. They receive the classic error "remote computer is not responding". During this time, I can see via ASA logs that the connection attempts reach the ASA and seem to complete hand shake as far as the ASA can tell. But the end result is a failed connection. Also, during this time, ANYONE else outside of that branch office - but just as remote - CAN in fact connect via L2TP.

A reload of the ASA gets everything working again for another couple of days then the problem starts again.

The two things that really bug me about it are (1) a reload of the ASA temporarily corrects the problem; and (2) it only affects one branch office. I have no administrative control over the branch office, and as such cannot manipulate their NetScreen firewall. They are a business-class DSL subscriber, and all outgoing connections to the internet fill appear to be sourced from the same IP - not a proxy like some. Below is the 'scrubbed' config. Many thanks to anyone with advice.

sh run
: Saved
:
ASA Version 8.0(3)
!
hostname myhost
domain-name myhost.local
enable password blablabla encrypted
names
<a bunch of names>
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name myhost.local
same-security-traffic permit intra-interface
object-group network www-servers
 network-object host web035-out
 network-object host web036-out
 network-object host testserver-out
object-group icmp-type icmp-traffic
 icmp-object source-quench
 icmp-object unreachable
 icmp-object time-exceeded
 icmp-object echo-reply
 icmp-object echo
access-list out-to-in extended permit icmp any any object-group icmp-traffic
access-list out-to-in extended permit tcp any object-group www-servers eq 3389
access-list out-to-in extended permit tcp any object-group www-servers eq www
access-list out-to-in extended permit tcp any object-group www-servers eq https
access-list inside-networks extended permit ip 192.168.1.0 255.255.255.0 any
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 10000
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.2.50-192.168.2.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside-networks
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.2.0 255.255.255.0
static (inside,outside) web035-out web035-in netmask 255.255.255.255
static (inside,outside) web036-out web036-in netmask 255.255.255.255
static (inside,outside) testserver-out testserver-in netmask 255.255.255.255
access-group out-to-in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server IAS protocol radius
aaa-server IAS host web035-in
 key jupiter
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http testserver-in 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 1.1.1.1 255.255.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
 
threat-detection basic-threat
threat-detection statistics access-list
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value nrhosting.local
username user1 password blabla1 encrypted privilege 15
username user2 password blabla1 encrypted privilege 15
username user3 password blabla1 encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool
 authentication-server-group IAS
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect sqlnet
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:<checksum>
: end

Open in new window

0
Comment
Question by:neilpage99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 2

Expert Comment

by:olivierbreuer
ID: 22718489
Hello,

Can you please provide a "sh ver" output from the firewall ?

Witch ASA version are you using ? Is the Asa version is the same than the VPN peer?
Is the licensing is the same as the VPN peer?

Thanks,

Olivier
0
 
LVL 9

Author Comment

by:neilpage99
ID: 22722832
Here's my "sh ver"

fw1(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"

fw1 up 1 day 23 hours

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is 001f.ca7c.d878, irq 11
 1: Ext: Ethernet0/0         : address is 001f.ca7c.d870, irq 255
 2: Ext: Ethernet0/1         : address is 001f.ca7c.d871, irq 255
 3: Ext: Ethernet0/2         : address is 001f.ca7c.d872, irq 255
 4: Ext: Ethernet0/3         : address is 001f.ca7c.d873, irq 255
 5: Ext: Ethernet0/4         : address is 001f.ca7c.d874, irq 255
 6: Ext: Ethernet0/5         : address is 001f.ca7c.d875, irq 255
 7: Ext: Ethernet0/6         : address is 001f.ca7c.d876, irq 255
 8: Ext: Ethernet0/7         : address is 001f.ca7c.d877, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled

This platform has a Base license.

Serial Number: blah blah blah
Running Activation Key: <some long key>
Configuration register is 0x1
Configuration has not been modified since last system restart.


This is a remote access style VPN - so no device (peer) on the other end, the clients are using native L2TP from their operating system, which is Win XP Pro and Vista 32-bit.
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22750036
Have you tried reloading the ASA ? there is a bug in the ASA version you have that causes this to happen. Check out this link you will need to log in. It may or may not apply to your ASA but if you reload both ASA's and it works then . .

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh48962
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Author Comment

by:neilpage99
ID: 22750397
I don't have an account or SmartNet with Cisco so I can't log in.

I have read about L2L (Site-to-Site) VPN's needing their ASA's reloaded - but not where it refers to L2TP. Also, as I noted in my first post, this only affects hosts from one specific remote site. As this is a remote access style VPN, many hosts from different parts of the state are roaming and using the L2TP feature. When the problem occurs, it only affects host at one particular remote site.

Yes it is suspicious that rebooting the ASA fixes it temporarily. But it is equally suspicious that it only affects remote users in one particular location. In fact, when that particular location experiences this problem, other remote hosts are still able to connect without a problem.
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22751103
*First i would update to the latest version of ASA 8.0(4) [publicly available, there are newer releases but tac has to offer it]  in the release notes there are a few patches/updates in the Remote Access area among other things.
*When i first experienced this issue I like you realized that somethings worked and some things didnt for remote access. Very odd and to make things most complicated my configurations were spot on. After speaking with TAC they said there isnt anything they can do but have a Senior Engineer have a look at the configurations and suggest a work around.  That equals there is no solution. . .
*Since after rebooting the ASA's traffic works the way you want it to the configuration is correct (remember the asa either permits traffic or denies it theres no in between)
Here is the the output from the bug posting on Ciscos website
I should also mention they claim its been fixed but it really hasnt been. . .


****************************************************************************************************************************
Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI  
Symptom:

- Remote Access clients can successfully connect but not access resources on the internal network
- Packets destined for the remote side of an L2L tunnel are not being encrypted
- Traffic is not encrypted with correct SPI

Conditions:

- "show crypto ipsec sa" shows decrypts, but no encrypts
- "show asp table classify crypto" show multiple entries for traffic
- vpn-context from "show asp table vpn-context det" that matches asp table entry with hitcounts increasing has a SPI that isn't valid (it isn't found in "show crypto ipsec sa")
- vpn-context with valid SPI isn't used
- Packet capture on outside interface shows encrypted packets going to remote peer

Workaround:

- Reload the PIX/ASA
- Fixed by change for CSCsh66576. Refer to that bug number for availability.  
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22751106
CSCsh66576
0
 
LVL 3

Accepted Solution

by:
leonjs earned 1500 total points
ID: 22751109
Problem: With roughly 1500 L2TP/IPSec sessions established, you may see cases when isolated clients can no longer connect to the ASA. The error on the client states:' 678 unable to connect.'
Workaround: In such cases, you may need to reload the ASA.

Symptom:


Conditions:


Workaround:


Further Problem Description:
0
 
LVL 9

Author Closing Comment

by:neilpage99
ID: 31507547
leonjs:  while this doesn't exactly explain what I'm experiencing, it gets close and may be related. No one else has really tried, so thank you for the solution. The only thing that bugs me about it is - why are other hosts able to connect without issue while this one and only one remote location has trouble? A reload of the ASA allows that failing remote location to work again for a while - but they are the only ones that experience the failure. Anyway - I'll hunt for ver 8.0(4). Thanks again.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question