troubleshooting Question

ASA to ASA VPN timeouts

Avatar of fgasimzade
fgasimzadeFlag for Azerbaijan asked on
VPNInternet Protocol SecurityCisco
6 Comments1 Solution417 ViewsLast Modified:
I have noticed the following problem: VPN connection stays active between two ASA's, but I can not ping remote LAN until I clear crypro isakmp sa <ip address of remote vpn peer>. Only after that I can ping remote LAN again.

Peer1:
access-list 110 extended permit ip any any

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclienttrans esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclienttrans mode transport
crypto ipsec transform-set raccess esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 214748364
crypto ipsec security-association lifetime kilobytes 214748364
crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.9
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside-GYD
crypto map bank 10 match address 110
crypto map bank 10 set peer 10.254.17.26
crypto map bank 10 set transform-set myset
crypto map bank interface outside-bank
crypto map ganja 10 match address 110
crypto map ganja 10 set peer 10.254.17.18
crypto map ganja 10 set transform-set myset
crypto map vpnclientmap 30 ipsec-isakmp dynamic dyn1
crypto map vpnclientmap interface remote-access
crypto isakmp identity address
crypto isakmp enable outside-bank
crypto isakmp enable outside-GYD
crypto isakmp enable remote-access
crypto isakmp enable inside-Baku
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 214748364

tunnel-group DefaultRAGroup general-attributes
 address-pool raccess
 authentication-server-group TACACS
 default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group 10.254.17.9 type ipsec-l2l
tunnel-group 10.254.17.9 ipsec-attributes
 pre-shared-key *
tunnel-group 10.254.17.26 type ipsec-l2l
tunnel-group 10.254.17.26 ipsec-attributes
 pre-shared-key *
tunnel-group 10.254.17.18 type ipsec-l2l
tunnel-group 10.254.17.18 ipsec-attributes
 pre-shared-key *

Peer2:
access-list 110 extended permit ip any any
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.25
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside-Baku
crypto map lokbatan 10 match address 110
crypto map lokbatan 10 set peer 10.254.17.34
crypto map lokbatan 10 set transform-set myset
crypto map lokbatan interface outside-lokbatan
crypto isakmp identity address
crypto isakmp enable outside-Baku
crypto isakmp enable outside-lokbatan
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5    
 group 2      
 lifetime 2147483640
tunnel-group 10.254.17.25 type ipsec-l2l
tunnel-group 10.254.17.25 ipsec-attributes
 pre-shared-key *
tunnel-group 10.254.17.34 type ipsec-l2l
tunnel-group 10.254.17.34 ipsec-attributes
 pre-shared-key *
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 6 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros