• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1968
  • Last Modified:

IPSEC VPN Tunnel

Hi,

I am getting vpn issues with some of my Static VPN's which terminate to my CISCO ASA Firwall.

Its almost as if the tunnels time out or something....

I can get this tunnels to work again When I open the ASDM (Gui) and I choose the "logout" option for a particular VPN tunnel.

Is this to do with Idle time out or re-key stuff ?

Can anyone advise me how to stop this from happening.

Thanks.
0
Thirst4Knowledge
Asked:
Thirst4Knowledge
  • 9
  • 6
1 Solution
 
MikeKaneCommented:
Your assumption is correct.   Usually, when a VPN tunnel dies, but one side of the tunnel "thinks" it is still open, it is usually a rekey issue.  

On the ASA's the settings are kept in the crypto map setups
i.e.
crypto map mymap 1 set security-association lifetime seconds 28800
crypto map mymap 51set security-association lifetime kilobytes 4608000


Without knowing your other device, I couldn't point you in the direction.   But there would be the same settings configurable on the device somewhere.

0
 
Thirst4KnowledgeAuthor Commented:
Hi Mike,

thanks for your reply

This sounds promising,  FYI the device on the other side is a draytek.

I will change the settings an monitor the conectivity and hopefully  get back to you with good news and some lovley points :P
0
 
Thirst4KnowledgeAuthor Commented:
I'm going to ask another question about VPN's .... do you know anything about hair-pining ?

I will post this in another question but would be good to know if you were familiar with it as I want to do something that is not strictly hair-pining.  Basically instead of having all VPN tunnels being able to talk to each other I would like to have one tunnel to have access to all other tunnels but not the other way around. Basically a one to many relationship.

Im thinking that I could do an access list to allow this and have been looking at ways to do it without making a long arse config.

Thanks
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
MikeKaneCommented:
Sounds like you need a VPN Filter ACL.  

You would setup all VPNs with full access.   Then you apply a VPN-FILTER (basically an access list with different syntax) to the tunnel.  

So the crypto and nonat for the tunnel would catch the entire subnet.   Then apply the filter on top of the tunnel to do normal access list stuff like let host A talk to host B on TCP 80 and deny all else.  

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
0
 
Thirst4KnowledgeAuthor Commented:
Thanks Mike will look into it and get back to you
0
 
Thirst4KnowledgeAuthor Commented:
The Draytek offers you these choices:

IKE Phase 1 key lifetime

IKE Phase 2 key lifetime

So I cant see where I can match these up with the ASA:

crypto map mymap 1 set security-association lifetime seconds 28800
crypto map mymap 51set security-association lifetime kilobytes 4608000

I also wonder id I setup a keep-alive on either side would that help or is that unrelated ?

Thanks
0
 
MikeKaneCommented:
Does the draytek odder a Kilobyte lifetime setting?   If not, you may want to give the tech support a call to find out the default value and match that to the ASA.   IF the draytech does not track KB's then set the ASA to '0' for unlimited.  

AS far as the key lilfetimes, set everything to 28800 for now.   Just make sure all timers match.  
0
 
Thirst4KnowledgeAuthor Commented:
Excellent suggestions

Thanks
0
 
Thirst4KnowledgeAuthor Commented:
I have come across a stumbling block :/

when trying to set the traffic volume to "0" i get an error message saying:

"The traffic volume must be between 10 and 2147483647"

damn it ! Just when I thought it was going to be easy :s
0
 
Thirst4KnowledgeAuthor Commented:
do I need to change something in my ike policies ?  But I guess this will affect all my other vpn tunnels :s
0
 
MikeKaneCommented:
I took a guess that you were running at least 7.x of the ASA code.  

Command reference for cisco gives you the defaults:
The default number of kilobytes is 4,608,000; the default number of seconds is 28,800.

So I would wager the ASA default might match the dratek default.   So in the ASA, just remove the kilobyte count command using "no" in front of the command.  

Try it that way.  

0
 
Thirst4KnowledgeAuthor Commented:
Can I change this for the individual tunnel ? I dont want to make a global change as all the other tunnels seem to be working ok ?

If so what i the command ?


0
 
MikeKaneCommented:
Yes, you can change this per tunnel.  

Look at your crypto map commands....   You should have a crypto map matches the addresses of the remote subnet with a priority number in front of it.  I.e.  "crypto map mymap 5 set security-association lifetime kilobytes 4608000"  .    Just put a no in front of that command to negate it.   i.e. " no crypto map mymap 5 set security-association lifetime kilobytes 4608000"

0
 
Thirst4KnowledgeAuthor Commented:
Keano ,

Thanks for this, much appreciated Indeed.  I am away at the moment and wont be able to get cracking with this until I get back. It looks like just the trick !!

Loog forward to getting back to you with the good news :)
0
 
MikeKaneCommented:

I believe my answers were exactly correct.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now