[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN dropping between Pix and Isa

Posted on 2009-04-28
1
Medium Priority
?
860 Views
Last Modified: 2012-08-14
Hello,

Have the following problem: A VPN is setup between two offices (Pix 506 to Isa 2006). Have followed the following instructions:

http://technet.microsoft.com/en-us/library/cc302442.aspx

The VPN works fine for a while but then drops. It can be reset from the ISA site, but not from the Pix site. After a while it can be reset from the Pix site again. The setting that counts down on the Pix is the settings in: sa timing: remaining key lifetime (k/sec): (91750/1267).

   local  ident (addr/mask/prot/port): (A/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (B/255.255.255.0/0/0)
   current_peer: FW-B:500
   dynamic allocated peer ip: 0.0.0.0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 179753, #pkts encrypt: 179753, #pkts digest 179753
    #pkts decaps: 183514, #pkts decrypt: 183514, #pkts verify 183514
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 538, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
     local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: FW-B
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: ebed30c
     inbound esp sas:
      spi: 0xf0ffbdd(252705757)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 23, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (91750/1267)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xebed30c(247386892)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 24, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (99370/1267)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:


This sounds like a lifetime key issue. But have compared all the settings and they seem to be the same.

Hereby the config:

Pix:
crypto map outside_map 200 ipsec-isakmp
crypto map outside_map 200 match address outside_cryptomap_200
crypto map outside_map 200 set pfs group2
crypto map outside_map 200 set peer FW-B
crypto map outside_map 200 set transform-set ESP-3DES-SHA
crypto map outside_map 200 set security-association lifetime seconds 3600 kilobytes 100000

isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 28800

Isa:
Local Tunnel Endpoint:
Remote Tunnel Endpoint:

To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.

IKE Phase I Parameters:
    Mode: Main mode
    Encryption: 3DES
    Integrity: SHA1
    Diffie-Hellman group: Group 2 (1024 bit)
    Authentication Method: Pre-shared secret
    Security Association Lifetime: 28800 seconds


IKE Phase II Parameters:
    Mode: ESP tunnel mode
    Encryption: 3DES
    Integrity: SHA1
    Perfect Forward Secrecy: ON
    Diffie-Hellman group: Group 2 (1024 bit)
    Time Rekeying: ON
    Security Association Lifetime: 3600 seconds

    Kbyte Rekeying: ON
    Rekey After Sending: 100000 Kbytes

Remote Network 'A to B' IP Subnets:
    Subnet: 192.168.25.0/255.255.255.0

Local Network 'Internal' IP Subnets:
    Subnet: 192.168.17.0/255.255.255.0

Local Network 'Perimeter' IP Subnets:
    Subnet: 172.16.0.0/255.255.255.0
    Subnet: 172.16.255.255/255.255.255.255

Routable Local IP Addresses:
    Subnet: 192.168.17.0/255.255.255.0

Thanks for any help!

Paul
0
Comment
Question by:P-R-W
1 Comment
 
LVL 33

Accepted Solution

by:
MikeKane earned 1500 total points
ID: 24315774
It sounds like the rekey times are different on each side where the ISA drops the connection, but the ASA does not.    Your configs look fine, the kb count and lifetime counts match up.    

You can try changing both sides to something other then 28800 and 100000 just to get away from the defaults.     try 19200 and 56000 just for a test and see if the issue continues.    

With odd things like this, I usually delete the existing config on the ASA and just redo it.    

0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question