CISCO ASA 5510 VPN Issue

[CGNWHS]

We have an ASA 5510 setup with 3 site-to-site tunnels. 2 of the 3 work great and we have no problems sending data back and forth. The third however seems to not be working correctly.

The third tunnel is a tunnel to another company which also uses an ASA 5510, they are using the latest IOS (8.x) for it and we are one full version behind (7.07). We have the tunnel open for two servers: A & B. A is on our side B is on theirs. We use a program that sends HL7 data between the two servers. After 56 minutes the connection between the two servers gets killed and then starts right back up again only to be killed after 56 minutes again. I noticed in the ASA logs the tunnel is getting reset: . Reason: IPSec SA Idle Timeout. What is strange though is this is happening at night when NO real data is being transmitted. Also my SA timeout is set to the default 86400 seconds. Any suggestions?

Much Appreciated!

-CGNWHS

 

[burtsbees]

What about the idle timeout? Post a sh run. Also, next time you may want to post in the ASA forum...

http://www.tek-tips.com/threadminder.cfm?pid=1598

Burt

 

[CGNWHS]

I scrubbed out the other tunnels and changed external IPS to **

ASA Version 7.0(7)
!

dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address ** 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only
!

time-range M-Sat5ato9p
periodic Monday Tuesday Wednesday Thursday Friday Saturday 5:00 to 20:59
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00


access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.0.19 host 172.16.142.20
access-list inside_nat0_outbound extended permit ip host 192.168.0.19 host 172.16.142.3
access-list inside_nat0_outbound extended permit ip host 192.168.0.37 host 172.16.142.20
access-list inside_nat0_outbound extended permit ip host 192.168.0.37 host 172.16.142.3

access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_cryptomap_42 extended permit ip host 192.168.0.19 host 172.16.142.20
access-list outside_cryptomap_42 extended permit ip host 192.168.0.19 host 172.16.142.3
access-list outside_cryptomap_42 extended permit ip host 192.168.0.37 host 172.16.142.20
access-list outside_cryptomap_42 extended permit ip host 192.168.0.37 host 172.16.142.3

pager lines 24
logging enable
logging timestamp
logging buffer-size 5120
logging asdm-buffer-size 200
logging buffered warnings
logging trap informational
logging asdm warnings
logging mail emergencies
logging facility 16
logging host inside 192.168.0.11
logging host inside 192.168.0.99
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
ip audit name IDS attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2150 disable
asdm image disk0:/asdm-507.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route inside 192.168.101.0 255.255.255.0 192.168.0.254 1
route inside 192.168.5.0 255.255.255.0 192.168.0.254 1
route inside 192.168.8.0 255.255.255.0 192.168.0.254 1
route inside 192.168.1.0 255.255.255.0 192.168.0.252 1
route inside 192.168.2.0 255.255.255.0 192.168.0.252 1
route inside 192.168.3.0 255.255.255.0 192.168.0.253 1
route inside 192.168.4.0 255.255.255.0 192.168.0.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 42 match address outside_cryptomap_42
crypto map outside_map 42 set peer **
crypto map outside_map 42 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp nat-traversal 300


tunnel-group ** type ipsec-l2l
tunnel-group ** ipsec-attributes
pre-shared-key *

telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 8
ssh version 2
console timeout 15
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!
service-policy global_policy global
: end

 

[burtsbees]

Yeah, I'm not seeing anything...try posting in the ASA forum...sorry...

Burt

 

[CGNWHS]

Thanks. The crappy part is I can't post the other guy's configuration. I am going to see if I can get a scrubbed version of it.

 

[burtsbees]

I wonder if these have anything to do with it...

dhcpd lease 3600
dhcpd ping_timeout 50

Burt

 

[CGNWHS]

I wouldn't think so because we aren't using DHCP. Those are just the defaults I believe...

 

[burtsbees]

Crap---was thinking remote access vpn with dynamically assigned addresses...sorry...been having bouts of cranial rectumitis all day...I need a drink...glad it's Friday (of course in our world, that doesn't mean much...lol).

Burt

 

[CGNWHS]

yeah no kidding! Thanks Burt!

 

[brianinms]

Alright, here is what you do ..

1. Issue a "show run all" this will display even default configured items.

2. Look under the Tunnel group in question and see what default policy group it is tied to.

3. Look at that default group and see what its idle time is set to as the default is 30 mins.