Solved

Cisco ASA VPN Duplicate entry

Posted on 2014-03-15
2
2,963 Views
Last Modified: 2014-03-18
I am required to setup a L2L vpn tunnel on our ASA firewall to a 3rd Party that we need to access for administration (they won’t setup a remote access one), this needs to be accessible by engineers in the field so I have setup a remote access VPN for our engineers to connect to our firewall these then have access (hairpinning) over the L2L VPN to the 3rd Party.

The firewalls are ASA’s at both ends (I’ve no access to the 3rd parties ASA) ours is running 9.1(4).

The L2L VPN is for accessing PBX equipment, so although the L2L tunnel is bi-directional it is only ever initiated from our end.

The engineers remote access VPN’s connect without problem.

However there is a strange issue with the L2L VPN which I can’t find the cause of.

The first time the L2L VPN is accessed (after an ASA reboot or it’s left for a day or so) all is well, (a remote access VPN user tries to connect to the PBX equipment, it brings the L2L tunnel up and they can access the remote equipment no problem).

However when the remote access user disconnects and the L2L tunnel is left unused it drops after approx 30 mins, if a user then tries to connect again soon after it won’t bring the L2L tunnel up.

(I thought it might be a bug but I’ve tried it on 8.4(2), 8.4(4) and 9.1(4) and the issue is the same on all versions).

A debug of what happens when a remote access VPN user tries to bring the L2L VPN up is below……

ASA# debug crypto ike-common 255
ASA# debug crypto ipsec 255    
ASA# debug crypto ikev2 prot 255
ASA# debug crypto ikev2 plat 255
ASA# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:31 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:34 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:40 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager


The VPN settings for the L2L VPN and Remote access VPN from our ASA are shown below….

Site to Site tunnel VPN settings….

same-security-traffic permit intra-interface

object network Remote-ASA
 host 217.x.x.x

object network RA-VPN-local
 subnet 10.10.222.0 255.255.255.0

object network Remote-servers
 subnet 10.200.222.0 255.255.255.0

access-list Security-ACL extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0
access-list Security-ACL extended permit ip 10.200.222.0 255.255.255.0 10.10.222.0 255.255.255.0

access-list Interesting-traffic extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0

nat (outside,outside) source static RA-VPN-local RA-VPN-local destination static Remote-servers Remote-servers no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto map map002 3 match address Interesting-traffic
crypto map map002 3 set peer Remote-ASA
crypto map map002 3 set ikev2 ipsec-proposal AES256
crypto map map002 interface outside

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5      
 prf sha      
 lifetime seconds 28800

crypto ikev2 enable outside

group-policy L2L-policy internal
group-policy L2L-policy attributes
 vpn-filter value Security-ACL
 vpn-tunnel-protocol ikev2

tunnel-group 217.x.x.x type ipsec-l2l
tunnel-group 217.x.x.x general-attributes
 default-group-policy L2L-policy
tunnel-group 217.x.x.x ipsec-attributes
 isakmp keepalive threshold infinite
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****


Remote access VPN settings….

ip local pool pool-4 10.10.222.1-10.10.222.100 mask 255.255.255.0

access-list Split_Tunnel standard permit 10.200.222.0 255.255.255.0

crypto ipsec ikev1 transform-set anno3DESSHA esp-3des esp-sha-hmac

crypto dynamic-map anno 10 set pfs group1
crypto dynamic-map anno 10 set ikev1 transform-set anno3DESSHA
crypto dynamic-map anno 10 set security-association lifetime seconds 3600
crypto dynamic-map anno 10 set security-association lifetime kilobytes 4608000

crypto map map002 70 ipsec-isakmp dynamic anno
crypto map map002 interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha    
 group 2      
 lifetime 86400

group-policy RA-VPN-Group internal
group-policy RA-VPN-Group attributes
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel

tunnel-group RA-VPN-Tunnel type remote-access
tunnel-group RA-VPN-Tunnel general-attributes
 address-pool pool-4
 authentication-server-group RAD LOCAL
 default-group-policy RA-VPN-Group
tunnel-group RA-VPN-Tunnel ipsec-attributes
 ikev1 pre-shared-key *****


Can anyone give me some clues?
0
Comment
Question by:nappyshock
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
Comment Utility
I think you need crypto isakmp disconnect-notify in the configuration on both ends.

You might also try crypto isakmp invalid-spi-recovery, but I think that's only on IOS routers.
0
 

Author Closing Comment

by:nappyshock
Comment Utility
crypto isakmp disconnect-notify did the trick.

Thanks
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now