J'ai trois sites, Toronto (1.1.1.1), Mississauga (2.2.2.2) et San Francisco (3.3.3.3). Les trois sites ont l'ASA 5520. Tous les sites sont connectés ensemble avec deux liens VPN de site à site entre chaque emplacement.
Mon problème est que le tunnel entre Toronto et San Francisco est très instable, passant toutes les 40 minutes à 60 minutes. Le tunnel entre Toronto et Mississauga (qui est configuré de la même manière) est très bien sans gouttes.
J'ai également remarqué que mes pings avec goutte mais l'ASA pense que le tunnel est toujours en place et fonctionne.
Voici la configuration du tunnel.
Toronto (1.1.1.1)
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 3.3.3.3
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256
group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
San Francisco (3.3.3.3)
crypto map Outside_map0 2 match address Outside_cryptomap_1
crypto map Outside_map0 2 set peer 1.1.1.1
crypto map Outside_map0 2 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map0 2 set ikev2 ipsec-proposal AES256
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Je suis à perte. Des idées?
Mise à jour:
# show crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 3.3.3.3
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
# show crypto ipsec sa
interface: Outside
Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.99.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.99.0.0/255.255.255.0/0/0)
current_peer: 74.200.4.148
#pkts encaps: 30948, #pkts encrypt: 30948, #pkts digest: 30948
#pkts decaps: 28516, #pkts decrypt: 28516, #pkts verify: 28516
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 30948, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: EFADD3D6
current inbound spi : 756AB014
inbound esp sas:
spi: 0x756AB014 (1969926164)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4372005/17024)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEFADD3D6 (4021146582)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4369303/17024)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 18777146, #pkts encrypt: 18777329, #pkts digest: 18777329
#pkts decaps: 23208489, #pkts decrypt: 23208489, #pkts verify: 23208489
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 18777328, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 1, #pre-frag failures: 0, #fragments created: 2
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: D2002A5B
current inbound spi : 2E1F7B20
inbound esp sas:
spi: 0x2E1F7B20 (773815072)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3224936/17000)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD2002A5B (3523226203)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (2120164/17000)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.110.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.110.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1289226, #pkts encrypt: 1289226, #pkts digest: 1289226
#pkts decaps: 1594987, #pkts decrypt: 1594987, #pkts verify: 1594987
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1289226, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 27
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 45B5CECD
current inbound spi : 862EB1DB
inbound esp sas:
spi: 0x862EB1DB (2251207131)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4318958/16999)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x45B5CECD (1169542861)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4360717/16999)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 1, local addr: 1.1.1.1
access-list Outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.10.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 3444336, #pkts encrypt: 3444336, #pkts digest: 3444336
#pkts decaps: 1756137, #pkts decrypt: 1756137, #pkts verify: 1756137
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3444336, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 3.3.3.3/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 6B0981E6
current inbound spi : 2F85EB3C
inbound esp sas:
spi: 0x2F85EB3C (797305660)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1245184, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3944948/12647)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x6B0981E6 (1795785190)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1245184, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (364451/12647)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
show crypto isakmp sa
et à quoi show crypto ipsec sa
ressemble le problème? Je suppose que vous effacez les SA pour y remédier, n'est-ce pas? Une raison particulière pour laquelle vous avez désactivé la détection des pairs morts? Et le dernier mais non le moindre: sur quelle version de code sont-ils?