Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA VPN Duplicate entry

Posted on 2014-03-15
2
Medium Priority
?
3,432 Views
Last Modified: 2014-03-18
I am required to setup a L2L vpn tunnel on our ASA firewall to a 3rd Party that we need to access for administration (they won’t setup a remote access one), this needs to be accessible by engineers in the field so I have setup a remote access VPN for our engineers to connect to our firewall these then have access (hairpinning) over the L2L VPN to the 3rd Party.

The firewalls are ASA’s at both ends (I’ve no access to the 3rd parties ASA) ours is running 9.1(4).

The L2L VPN is for accessing PBX equipment, so although the L2L tunnel is bi-directional it is only ever initiated from our end.

The engineers remote access VPN’s connect without problem.

However there is a strange issue with the L2L VPN which I can’t find the cause of.

The first time the L2L VPN is accessed (after an ASA reboot or it’s left for a day or so) all is well, (a remote access VPN user tries to connect to the PBX equipment, it brings the L2L tunnel up and they can access the remote equipment no problem).

However when the remote access user disconnects and the L2L tunnel is left unused it drops after approx 30 mins, if a user then tries to connect again soon after it won’t bring the L2L tunnel up.

(I thought it might be a bug but I’ve tried it on 8.4(2), 8.4(4) and 9.1(4) and the issue is the same on all versions).

A debug of what happens when a remote access VPN user tries to bring the L2L VPN up is below……

ASA# debug crypto ike-common 255
ASA# debug crypto ipsec 255    
ASA# debug crypto ikev2 prot 255
ASA# debug crypto ikev2 plat 255
ASA# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:31 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:34 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:40 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager


The VPN settings for the L2L VPN and Remote access VPN from our ASA are shown below….

Site to Site tunnel VPN settings….

same-security-traffic permit intra-interface

object network Remote-ASA
 host 217.x.x.x

object network RA-VPN-local
 subnet 10.10.222.0 255.255.255.0

object network Remote-servers
 subnet 10.200.222.0 255.255.255.0

access-list Security-ACL extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0
access-list Security-ACL extended permit ip 10.200.222.0 255.255.255.0 10.10.222.0 255.255.255.0

access-list Interesting-traffic extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0

nat (outside,outside) source static RA-VPN-local RA-VPN-local destination static Remote-servers Remote-servers no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto map map002 3 match address Interesting-traffic
crypto map map002 3 set peer Remote-ASA
crypto map map002 3 set ikev2 ipsec-proposal AES256
crypto map map002 interface outside

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5      
 prf sha      
 lifetime seconds 28800

crypto ikev2 enable outside

group-policy L2L-policy internal
group-policy L2L-policy attributes
 vpn-filter value Security-ACL
 vpn-tunnel-protocol ikev2

tunnel-group 217.x.x.x type ipsec-l2l
tunnel-group 217.x.x.x general-attributes
 default-group-policy L2L-policy
tunnel-group 217.x.x.x ipsec-attributes
 isakmp keepalive threshold infinite
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****


Remote access VPN settings….

ip local pool pool-4 10.10.222.1-10.10.222.100 mask 255.255.255.0

access-list Split_Tunnel standard permit 10.200.222.0 255.255.255.0

crypto ipsec ikev1 transform-set anno3DESSHA esp-3des esp-sha-hmac

crypto dynamic-map anno 10 set pfs group1
crypto dynamic-map anno 10 set ikev1 transform-set anno3DESSHA
crypto dynamic-map anno 10 set security-association lifetime seconds 3600
crypto dynamic-map anno 10 set security-association lifetime kilobytes 4608000

crypto map map002 70 ipsec-isakmp dynamic anno
crypto map map002 interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha    
 group 2      
 lifetime 86400

group-policy RA-VPN-Group internal
group-policy RA-VPN-Group attributes
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel

tunnel-group RA-VPN-Tunnel type remote-access
tunnel-group RA-VPN-Tunnel general-attributes
 address-pool pool-4
 authentication-server-group RAD LOCAL
 default-group-policy RA-VPN-Group
tunnel-group RA-VPN-Tunnel ipsec-attributes
 ikev1 pre-shared-key *****


Can anyone give me some clues?
0
Comment
Question by:nappyshock
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 39934517
I think you need crypto isakmp disconnect-notify in the configuration on both ends.

You might also try crypto isakmp invalid-spi-recovery, but I think that's only on IOS routers.
0
 

Author Closing Comment

by:nappyshock
ID: 39937478
crypto isakmp disconnect-notify did the trick.

Thanks
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
In this article, we’ll look at how to deploy ProxySQL.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question