Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3537
  • Last Modified:

Cisco ASA VPN Duplicate entry

I am required to setup a L2L vpn tunnel on our ASA firewall to a 3rd Party that we need to access for administration (they won’t setup a remote access one), this needs to be accessible by engineers in the field so I have setup a remote access VPN for our engineers to connect to our firewall these then have access (hairpinning) over the L2L VPN to the 3rd Party.

The firewalls are ASA’s at both ends (I’ve no access to the 3rd parties ASA) ours is running 9.1(4).

The L2L VPN is for accessing PBX equipment, so although the L2L tunnel is bi-directional it is only ever initiated from our end.

The engineers remote access VPN’s connect without problem.

However there is a strange issue with the L2L VPN which I can’t find the cause of.

The first time the L2L VPN is accessed (after an ASA reboot or it’s left for a day or so) all is well, (a remote access VPN user tries to connect to the PBX equipment, it brings the L2L tunnel up and they can access the remote equipment no problem).

However when the remote access user disconnects and the L2L tunnel is left unused it drops after approx 30 mins, if a user then tries to connect again soon after it won’t bring the L2L tunnel up.

(I thought it might be a bug but I’ve tried it on 8.4(2), 8.4(4) and 9.1(4) and the issue is the same on all versions).

A debug of what happens when a remote access VPN user tries to bring the L2L VPN up is below……

ASA# debug crypto ike-common 255
ASA# debug crypto ipsec 255    
ASA# debug crypto ikev2 prot 255
ASA# debug crypto ikev2 plat 255
ASA# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:31 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:34 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:40 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager


The VPN settings for the L2L VPN and Remote access VPN from our ASA are shown below….

Site to Site tunnel VPN settings….

same-security-traffic permit intra-interface

object network Remote-ASA
 host 217.x.x.x

object network RA-VPN-local
 subnet 10.10.222.0 255.255.255.0

object network Remote-servers
 subnet 10.200.222.0 255.255.255.0

access-list Security-ACL extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0
access-list Security-ACL extended permit ip 10.200.222.0 255.255.255.0 10.10.222.0 255.255.255.0

access-list Interesting-traffic extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0

nat (outside,outside) source static RA-VPN-local RA-VPN-local destination static Remote-servers Remote-servers no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto map map002 3 match address Interesting-traffic
crypto map map002 3 set peer Remote-ASA
crypto map map002 3 set ikev2 ipsec-proposal AES256
crypto map map002 interface outside

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5      
 prf sha      
 lifetime seconds 28800

crypto ikev2 enable outside

group-policy L2L-policy internal
group-policy L2L-policy attributes
 vpn-filter value Security-ACL
 vpn-tunnel-protocol ikev2

tunnel-group 217.x.x.x type ipsec-l2l
tunnel-group 217.x.x.x general-attributes
 default-group-policy L2L-policy
tunnel-group 217.x.x.x ipsec-attributes
 isakmp keepalive threshold infinite
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****


Remote access VPN settings….

ip local pool pool-4 10.10.222.1-10.10.222.100 mask 255.255.255.0

access-list Split_Tunnel standard permit 10.200.222.0 255.255.255.0

crypto ipsec ikev1 transform-set anno3DESSHA esp-3des esp-sha-hmac

crypto dynamic-map anno 10 set pfs group1
crypto dynamic-map anno 10 set ikev1 transform-set anno3DESSHA
crypto dynamic-map anno 10 set security-association lifetime seconds 3600
crypto dynamic-map anno 10 set security-association lifetime kilobytes 4608000

crypto map map002 70 ipsec-isakmp dynamic anno
crypto map map002 interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha    
 group 2      
 lifetime 86400

group-policy RA-VPN-Group internal
group-policy RA-VPN-Group attributes
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel

tunnel-group RA-VPN-Tunnel type remote-access
tunnel-group RA-VPN-Tunnel general-attributes
 address-pool pool-4
 authentication-server-group RAD LOCAL
 default-group-policy RA-VPN-Group
tunnel-group RA-VPN-Tunnel ipsec-attributes
 ikev1 pre-shared-key *****


Can anyone give me some clues?
0
nappyshock
Asked:
nappyshock
1 Solution
 
asavenerCommented:
I think you need crypto isakmp disconnect-notify in the configuration on both ends.

You might also try crypto isakmp invalid-spi-recovery, but I think that's only on IOS routers.
0
 
nappyshockAuthor Commented:
crypto isakmp disconnect-notify did the trick.

Thanks
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now