Suppression de VPN de site à site Cisco ASA

9

J'ai trois sites, Toronto (1.1.1.1), Mississauga (2.2.2.2) et San Francisco (3.3.3.3). Les trois sites ont l'ASA 5520. Tous les sites sont connectés ensemble avec deux liens VPN de site à site entre chaque emplacement.

Mon problème est que le tunnel entre Toronto et San Francisco est très instable, passant toutes les 40 minutes à 60 minutes. Le tunnel entre Toronto et Mississauga (qui est configuré de la même manière) est très bien sans gouttes.

J'ai également remarqué que mes pings avec goutte mais l'ASA pense que le tunnel est toujours en place et fonctionne.

Voici la configuration du tunnel.

Toronto (1.1.1.1)

crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 3.3.3.3 
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256

group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
 default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive disable
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

San Francisco (3.3.3.3)

crypto map Outside_map0 2 match address Outside_cryptomap_1
crypto map Outside_map0 2 set peer 1.1.1.1 
crypto map Outside_map0 2 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map0 2 set ikev2 ipsec-proposal AES256

group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive disable
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

Je suis à perte. Des idées?

Mise à jour:

# show crypto isakmp sa

 IKEv1 SAs:

    Active SA: 2
     Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
 Total IKE SA: 2

 1   IKE Peer: 3.3.3.3
     Type    : L2L             Role    : initiator 
     Rekey   : no              State   : MM_ACTIVE 
 2   IKE Peer: 2.2.2.2
     Type    : L2L             Role    : responder 
     Rekey   : no              State   : MM_ACTIVE 

 There are no IKEv2 SAs



 # show crypto ipsec sa
 interface: Outside
     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.99.0.0 255.255.255.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.99.0.0/255.255.255.0/0/0)
       current_peer: 74.200.4.148

       #pkts encaps: 30948, #pkts encrypt: 30948, #pkts digest: 30948
       #pkts decaps: 28516, #pkts decrypt: 28516, #pkts verify: 28516
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 30948, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: EFADD3D6
       current inbound spi : 756AB014

     inbound esp sas:
       spi: 0x756AB014 (1969926164)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4372005/17024)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0xEFADD3D6 (4021146582)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4369303/17024)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
       current_peer: 2.2.2.2

       #pkts encaps: 18777146, #pkts encrypt: 18777329, #pkts digest: 18777329
       #pkts decaps: 23208489, #pkts decrypt: 23208489, #pkts verify: 23208489
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 18777328, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 1, #pre-frag failures: 0, #fragments created: 2
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: D2002A5B
       current inbound spi : 2E1F7B20

     inbound esp sas:
       spi: 0x2E1F7B20 (773815072)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (3224936/17000)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0xD2002A5B (3523226203)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (2120164/17000)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.110.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.110.0.0/255.255.0.0/0/0)
       current_peer: 2.2.2.2

       #pkts encaps: 1289226, #pkts encrypt: 1289226, #pkts digest: 1289226
       #pkts decaps: 1594987, #pkts decrypt: 1594987, #pkts verify: 1594987
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 1289226, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 27
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: 45B5CECD
       current inbound spi : 862EB1DB

     inbound esp sas:
       spi: 0x862EB1DB (2251207131)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4318958/16999)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0x45B5CECD (1169542861)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4360717/16999)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 1, local addr: 1.1.1.1

       access-list Outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.10.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
       current_peer: 3.3.3.3

       #pkts encaps: 3444336, #pkts encrypt: 3444336, #pkts digest: 3444336
       #pkts decaps: 1756137, #pkts decrypt: 1756137, #pkts verify: 1756137
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 3444336, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 3.3.3.3/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: 6B0981E6
       current inbound spi : 2F85EB3C

     inbound esp sas:
       spi: 0x2F85EB3C (797305660)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1245184, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (3944948/12647)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0x6B0981E6 (1795785190)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1245184, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (364451/12647)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001
cisco  cisco-asa  cisco-vpn 
ScottAdair
source
Vous perdez des pings sur Internet public?
Jeremy
Non, le public va bien des deux endroits.
ScottAdair
2
À quoi ressemble la sortie show crypto isakmp saet à quoi show crypto ipsec saressemble le problème? Je suppose que vous effacez les SA pour y remédier, n'est-ce pas? Une raison particulière pour laquelle vous avez désactivé la détection des pairs morts? Et le dernier mais non le moindre: sur quelle version de code sont-ils?
Shane Madden
Tous les systèmes exécutent 8.4 (2) et ASDM 6.4 (5). Les sorties de commande sont ci-dessus. Le tunnel indique qu'il est en hausse, mais aucun trafic ne passe. Aucune raison particulière pour désactiver un pair mort, essayait simplement les choses cet après-midi.
ScottAdair
Intéressant, l'ASA de SF pense que le tunnel est en panne, mais l'ASA de TO pense qu'il est en place.
ScottAdair

Réponses:

1

Je pense que ce pourrait être la keepalive étant désactivée, s'il n'y a pas de trafic ou du trafic qui achemine d'une autre manière, cela peut entraîner la chute du tunnel à cause de l'inactivité. Essayez de supprimer le tunnel (clear isakmp sa $ PEERIP) sur la destination, puis exécutez le débogage sur la source et voyez s'il essaie de rétablir la connexion. http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#crypto_isakmp

chrisw9808
source
En utilisant notre site, vous reconnaissez avoir lu et compris notre politique liée aux cookies et notre politique de confidentialité.
Licensed under cc by-sa 3.0 with attribution required.