Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2239
  • Last Modified:

Easy VPN connection problems to Cisco ASA 5505 on Comcast line.

We have a Cisco ASA 5505 on a new Comcast line that three other 5505's connect to via Easy VPN.  When this line gets flakey, it looks like the easy VPN connections stop sending data and the users cannot access anything over that VPN.  When I go to Monitoring > VPN statistics > sessions it shows that the Tx and Rx bytes are at 0.  If I click "Logout" to force the easy vpn connection to reconnect, the connection will come back and stay at 0 bytes.  This problem never occured on the old DSL line that never went down.  What do I need to do to make these VPN connections reliable even if the line goes down and comes back up?
0
OAC Technology
Asked:
OAC Technology
  • 2
1 Solution
 
cstosgaleCommented:
It sounds like you need to modify your dead peer detection settings. Can you post the config of the central ASA 5505 (masking passwords and IP addresses)
0
 
OAC TechnologyProfessional NerdsAuthor Commented:
domainVPN is the policy they use to connect



: Saved
:
ASA Version 8.0(3)
!
hostname domain
domain-name domain.com
enable password
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.89 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone CST -6
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.17
 name-server 4.2.2.4
 domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service IMAP-SSL tcp
 description IMAP-SSL
 port-object range 993 993
object-group service JABBER-SSL tcp-udp
 description JABBER-SSL
 port-object range 5222 5223
object-group service POP3-SSL tcp
 description POP3-SSL
 port-object range 995 995
object-group service RDP tcp
 description RDP
 port-object range 3389 3389
object-group service foldershare
 service-object tcp eq www
 service-object tcp eq https
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any host x.x.x.89 eq www
access-list outside_access_in extended permit tcp any host x.x.x.89 eq sqlnet
access-list outside_access_in extended permit tcp any host x.x.x.89 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.89 eq pptp
access-list outside_access_in extended permit tcp any host x.x.x.89 eq 6571
access-list outside_access_in extended permit tcp any host x.x.x.89 eq 8333
access-list outside_access_in extended permit tcp any host x.x.x.92 eq https
access-list outside_access_in extended permit tcp any host x.x.x.91 eq https
access-list outside_access_in extended permit tcp any host x.x.x.92 eq www
access-list outside_access_in extended permit tcp any host x.x.x.91 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.92 eq ssh
access-list outside_access_in extended permit tcp any host x.x.x.92 eq 3690
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.240
access-list VPNCilents_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VPNCilents_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list inside_access_out extended permit ip any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit tcp host 192.168.1.19 any eq 9100
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit icmp any any timestamp-request
access-list inside_access_in extended permit tcp any any eq sqlnet
access-list inside_access_in extended permit tcp host 192.168.1.134 any eq aol
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any eq ntp
access-list inside_access_in extended permit tcp host 192.168.1.19 any eq pop3
access-list inside_access_in extended permit tcp any any eq 5003
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in extended permit icmp any any timestamp-reply
access-list inside_access_in extended permit tcp any any eq 3389
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq 5500
access-list inside_access_in extended permit tcp any any eq ssh
access-list inside_access_in extended permit tcp any any eq 5900
access-list inside_access_in extended permit tcp any any eq 5901
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit tcp host 192.168.1.17 any eq 6571
access-list inside_access_in extended deny ip any host 17.149.160.54
access-list inside_access_in extended permit ip any any inactive
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_access_in extended permit tcp any any eq smtp
access-list inside_access_in extended permit object-group TCPUDP any any eq 1935
access-list inside_access_in extended permit tcp any any eq 40000
access-list inside_access_in extended permit tcp any any eq 40001
access-list inside_access_in extended permit tcp any any eq ftp-data
access-list domainVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list global_mpc_1 extended permit object-group foldershare any host 216.166.75.5 inactive
access-list global_mpc_1 extended permit object-group foldershare any host 216.166.75.6 inactive
access-list global_mpc_1 extended permit object-group foldershare any host 216.166.75.7 inactive
access-list global_mpc_1 extended permit object-group foldershare any host 216.166.75.2 inactive
access-list global_mpc_1 extended permit tcp host 192.168.1.17 any eq https inactive
pager lines 24
logging enable
logging timestamp
logging list Syslog level notifications
logging trap informational
logging asdm informational
logging facility 22
logging host inside 192.168.1.17
logging flash-bufferwrap
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool 192.168.1.0 192.168.1.201-192.168.1.230 mask 255.255.255.0
ip verify reverse-path interface outside
ip audit name Attack attack action alarm
ip audit interface outside Attack
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.1.20 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.40 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.19 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.1.17 pptp netmask 255.255.255.255
static (inside,outside) tcp interface sqlnet 192.168.1.19 sqlnet netmask 255.255.255.255
static (inside,outside) tcp interface 6571 192.168.1.17 6571 netmask 255.255.255.255
static (inside,outside) tcp interface 8333 192.168.1.17 8333 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.92 https 192.168.1.28 https netmask 255.255.255.255
static (inside,outside) tcp x.x.x.92 www 192.168.1.28 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.92 ssh 192.168.1.30 ssh netmask 255.255.255.255
static (inside,outside) tcp x.x.x.92 3690 192.168.1.30 3690 netmask 255.255.255.255
static (inside,outside) x.x.x.91 192.168.1.29 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.94 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.17
 key
aaa-server partnerauth protocol radius
aaa-server partnerauth host 192.168.1.20
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer y.y.y.6
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.20 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

priority-queue inside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0
threat-detection statistics
group-policy VPNClients internal
group-policy VPNClients attributes
 wins-server value 192.168.1.20
 dns-server value 192.168.1.17
 vpn-simultaneous-logins 99
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNCilents_splitTunnelAcl
 default-domain value domain.com
 nem enable
group-policy domainVPN internal
group-policy domainVPN attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value domainVPN_splitTunnelAcl
 nem enable
group-policy domainVPN_1 internal
group-policy domainVPN_1 attributes
 wins-server value 192.168.1.17
 dns-server value 192.168.1.17 192.168.1.25
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value domainVPN_splitTunnelAcl
 default-domain value domain.com
 user-authentication-idle-timeout none
 nem enable
username user1 password
username user1 attributes
 service-type remote-access
 memberof domainVPN
username domainVPN password encrypted privilege 0
username domainVPN attributes
 vpn-group-policy VPNClients
username user2 password encrypted
username user2 attributes
 service-type remote-access
tunnel-group y.y.y.6 type ipsec-l2l
tunnel-group y.y.y.6 ipsec-attributes
 pre-shared-key *
tunnel-group VPNClients type remote-access
tunnel-group VPNClients general-attributes
 address-pool VPNPool
 authentication-server-group RADIUS
 default-group-policy VPNClients
 dhcp-server 192.168.1.17
tunnel-group VPNClients ipsec-attributes
 pre-shared-key *
tunnel-group domainVPN type remote-access
tunnel-group domainVPN general-attributes
 address-pool VPNPool
 authentication-server-group RADIUS
 default-group-policy domainVPN_1
 dhcp-server 192.168.1.17
tunnel-group domainVPN ipsec-attributes
 pre-shared-key *
tunnel-group HWVpn type remote-access
tunnel-group HWVpn general-attributes
 address-pool VPNPool
 default-group-policy domainVPN_1
 dhcp-server 192.168.1.17
tunnel-group HWVpn ipsec-attributes
 pre-shared-key *
!
class-map foldershare2
 match access-list global_mpc_1
class-map type regex match-any JunkServices
class-map type inspect http match-all asdm_medium_security_methods
 match not request method head
 match not request method post
 match not request method get
class-map inspection_default
 match default-inspection-traffic
class-map Yahoo-MSN
 match default-inspection-traffic
class-map type inspect im match-any JunkClass
 match peer-login-name regex class JunkServices
 match login-name regex _default_msn-messenger
 match protocol msn-im yahoo-im
 match login-name regex class JunkServices
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect im YahooMSNBlock
 parameters
 match protocol msn-im yahoo-im
  log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect pptp
  inspect icmp
  inspect ipsec-pass-thru
  inspect http
 class foldershare2
  police input 204500 25000
  police output 204500 25000
 class Yahoo-MSN
  inspect im YahooMSNBlock
policy-map type inspect http Low
 parameters
  protocol-violation action drop-connection
 match request uri regex _default_yahoo-messenger
  drop-connection log
 match request uri regex _default_GoToMyPC-tunnel
  drop-connection log
 match request uri regex _default_GoToMyPC-tunnel_2
  drop-connection log
 match request uri regex _default_aim-messenger
  drop-connection log
 match request uri regex _default_msn-messenger
  drop-connection log
 match request uri regex _default_x-kazaa-network
  drop-connection log
 match request uri regex _default_shoutcast-tunneling-protocol
  drop-connection log
policy-map type inspect im MSNBlock
 parameters
 match protocol msn-im
  drop-connection log
policy-map type inspect im MessengerInspection
 parameters
 class JunkClass
  reset log
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1a20c33f7e434c3a4dbea8d609206431
: end
asdm image disk0:/asdm-603.bin
no asdm history enable

0
 
OAC TechnologyProfessional NerdsAuthor Commented:
Can anyone help with this?
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now