Solved

Cisco ASA VPN Duplicate entry

Posted on 2014-03-15
2
3,142 Views
Last Modified: 2014-03-18
I am required to setup a L2L vpn tunnel on our ASA firewall to a 3rd Party that we need to access for administration (they won’t setup a remote access one), this needs to be accessible by engineers in the field so I have setup a remote access VPN for our engineers to connect to our firewall these then have access (hairpinning) over the L2L VPN to the 3rd Party.

The firewalls are ASA’s at both ends (I’ve no access to the 3rd parties ASA) ours is running 9.1(4).

The L2L VPN is for accessing PBX equipment, so although the L2L tunnel is bi-directional it is only ever initiated from our end.

The engineers remote access VPN’s connect without problem.

However there is a strange issue with the L2L VPN which I can’t find the cause of.

The first time the L2L VPN is accessed (after an ASA reboot or it’s left for a day or so) all is well, (a remote access VPN user tries to connect to the PBX equipment, it brings the L2L tunnel up and they can access the remote equipment no problem).

However when the remote access user disconnects and the L2L tunnel is left unused it drops after approx 30 mins, if a user then tries to connect again soon after it won’t bring the L2L tunnel up.

(I thought it might be a bug but I’ve tried it on 8.4(2), 8.4(4) and 9.1(4) and the issue is the same on all versions).

A debug of what happens when a remote access VPN user tries to bring the L2L VPN up is below……

ASA# debug crypto ike-common 255
ASA# debug crypto ipsec 255    
ASA# debug crypto ikev2 prot 255
ASA# debug crypto ikev2 plat 255
ASA# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:31 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:34 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.10.222.1, sport=3184, daddr=10.200.222.107, dport=47873
IPSEC(crypto_map_check)-5: Checking crypto map map002 1: skipping because 5-tuple does not match ACL Glasgow_VPN.
IPSEC(crypto_map_check)-5: Checking crypto map map002 2: skipping because 5-tuple does not match ACL Manchester_VPN.
IPSEC(crypto_map_check)-3: Checking crypto map map002 3: matched.
Mar 15 17:37:40 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager


The VPN settings for the L2L VPN and Remote access VPN from our ASA are shown below….

Site to Site tunnel VPN settings….

same-security-traffic permit intra-interface

object network Remote-ASA
 host 217.x.x.x

object network RA-VPN-local
 subnet 10.10.222.0 255.255.255.0

object network Remote-servers
 subnet 10.200.222.0 255.255.255.0

access-list Security-ACL extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0
access-list Security-ACL extended permit ip 10.200.222.0 255.255.255.0 10.10.222.0 255.255.255.0

access-list Interesting-traffic extended permit ip 10.10.222.0 255.255.255.0 10.200.222.0 255.255.255.0

nat (outside,outside) source static RA-VPN-local RA-VPN-local destination static Remote-servers Remote-servers no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto map map002 3 match address Interesting-traffic
crypto map map002 3 set peer Remote-ASA
crypto map map002 3 set ikev2 ipsec-proposal AES256
crypto map map002 interface outside

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5      
 prf sha      
 lifetime seconds 28800

crypto ikev2 enable outside

group-policy L2L-policy internal
group-policy L2L-policy attributes
 vpn-filter value Security-ACL
 vpn-tunnel-protocol ikev2

tunnel-group 217.x.x.x type ipsec-l2l
tunnel-group 217.x.x.x general-attributes
 default-group-policy L2L-policy
tunnel-group 217.x.x.x ipsec-attributes
 isakmp keepalive threshold infinite
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****


Remote access VPN settings….

ip local pool pool-4 10.10.222.1-10.10.222.100 mask 255.255.255.0

access-list Split_Tunnel standard permit 10.200.222.0 255.255.255.0

crypto ipsec ikev1 transform-set anno3DESSHA esp-3des esp-sha-hmac

crypto dynamic-map anno 10 set pfs group1
crypto dynamic-map anno 10 set ikev1 transform-set anno3DESSHA
crypto dynamic-map anno 10 set security-association lifetime seconds 3600
crypto dynamic-map anno 10 set security-association lifetime kilobytes 4608000

crypto map map002 70 ipsec-isakmp dynamic anno
crypto map map002 interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha    
 group 2      
 lifetime 86400

group-policy RA-VPN-Group internal
group-policy RA-VPN-Group attributes
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel

tunnel-group RA-VPN-Tunnel type remote-access
tunnel-group RA-VPN-Tunnel general-attributes
 address-pool pool-4
 authentication-server-group RAD LOCAL
 default-group-policy RA-VPN-Group
tunnel-group RA-VPN-Tunnel ipsec-attributes
 ikev1 pre-shared-key *****


Can anyone give me some clues?
0
Comment
Question by:nappyshock
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39934517
I think you need crypto isakmp disconnect-notify in the configuration on both ends.

You might also try crypto isakmp invalid-spi-recovery, but I think that's only on IOS routers.
0
 

Author Closing Comment

by:nappyshock
ID: 39937478
crypto isakmp disconnect-notify did the trick.

Thanks
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question