ASA Site to not tunnel no transmission of traffic for some subnets after awhile

Hello

We have a question really strange tunnel from site to site on several ASAs.

We organize VPN tunnels between a small site and three largest.

The den has an ASA 5505, the other three principles are ASA 5510.

One of the tunnels working for months without problems.

Each tunnel has several class C network.

example Site:

-192.168.50.0/24 (named A1)

-192.168.51.0/24 (called A2)

Site b:

-192.168.60.0/24 (named B1)

-192.168.61.0/24 (called B2)

On two faulty tunnels, all is well at the beginning. After a few days (1-14) some networks to cease to work. So I can ping both A1 and A2 B1 network networks, but only from A2 B2 network. Pings from A1 to B2 doesn't expire. The ASA site showed tx = 0 traffic for <=>A1, B2, but progressive count rx traffic. ASA b it shows rx = 0 to B2<=>A1 and tx counties upward.

This happens unexpected after different periods. Sometimes he hits ASA on site B, where tx = 0, it is sometimes ASA on A site.

I tried to fix it as a result of orders:

ISAKMP crypto claire his
clear crypto ipsec his
clear xlate

but nothing has worked. The only solution for now is to restart the ASA where tx County indicates 0. After restarting, everything goes well for a while.

On one of the affected sites, we have a failover configuration - ASA. A failover of the active device also solves the problem. But if you change your prior back restart the old principal question will return immediately.

I think that there is no configuration because:

-All tunnels are configured in the same way, and one of them is running for moths without any problem

-Tunnels work for all combinations of subnet after a reboot

-The problem occurs after different and long periods of time. So I think that the period between failures is long to be caused by tunnel a.s.o. timeouts.

All ASA are running 9.1. (5) 21.

I updated the firmware of several releases these past few months and had the same problem with any version I tested.

So I hope that someone else has also had this problem and found a solution.

Christian Hey!

Hopefully, solve or find the root cause?

Thank you

Tags: Cisco Security

Similar Questions

  • sides of my layout of the Web site are not aligned correctly - view this thread for a much better understanding!

    The sides of my layout of the Web site are not aligned correctly, and the image is slightly moved above.

    To much better understand what I mean... First discovered my site here: http://www.clanmog.hostei.com/ - I noticed that this problem only occurs in Firefox (to my knowledge) and not Internet Explorer. It does not have this in IE, but Firefox does.

    then look at this image: http://img261.imageshack.us/img261/7210/helpme.PNG

    How can I solve this problem?

    At a glance I'd say it's because you are clearing out the average divs, but not others. This changes the alignment calculations...

    Mylenium

  • Questions not selectable answers in quiz slide for some users

    We have a training SCORM Captivate content published on our LMS (SAP Learning Solutions). Some users are unable to answer questions about the content. For these users, the answers are locked and can not be selected. In addition, don't seem not buttons validate and clear.

    The problem about 10% of our users.

    This training contains content and quiz slides slides.

    problem_quiz_not_functionnal.jpg

    The content is published in SCORM 1.2 (SWF + HTML) with Adobe Captivate 5.5. We had the same problem for some users with the previous version of this training content with Captivate 4.

    All users have the same settings:

    Flash Player 10.3.183.11

    Internet Explorer 6

    Microsoft Windows XP

    Place a button on the first or second slide you need the user to click to go forward with the course.  I've usually place it on a slide that gives an overview of what the module will be about.  Once the user has finished with the slide, they need to click on this button to continue in the content.  The user is not aware that this button has a fixed score and the FACT that it has a score means that Captivate believes that it is part of the questionnaire, which means the scope quiz begins at this time, the first question of the quiz.

    Yes, you click the button, go to properties > reports and select the check box to include in the questionnaire.

  • Vista not recognizing not not my profile as an administrator for some elements.

    I am trying to install a program, but Vista keeps asking that only an administrator can do that. My user profile is that of an administrator. I do not have an administrator button click on when you connect

    See my response to your other post. With respect to the program, make sure that it is compatible with Vista by going to the site of the program and looking at the system requirements. Make sure you have the latest version of the mystery program. If this program is compatible with Vista, right click on the Installer (usually something like setup.exe if on a CD) and choose 'run as administrator '. Provide the password/OK for the UAC dialog box and installation should begin. MS - MVP - Elephant Boy computers - don't panic!

  • How can I get rid of the malware that does not allow us to go online for some reason any? Our computer is useless to the point.

    My husband had opened places an ad on Craigslist, when a pop up appeared on the screen to alert him to disable the software pop up advertising with a 1-855-453-2 * phone number 8. This pop up to continue and we cannot see anything online. Force Quit does not get rid of this stuff. Any suggestions are welcome.

    Thank you

    CArol

    < personal information under the direction of the host >

    If you use Safari, you can run it with the SHIFT key. This may also work in other web browsers. If it is not, disconnect the computer from the Internet and close the tab which produced the popup.

    (141261)

  • WMP library does not track length or bit rate for some files

    I use WMP11 on XP Pro.  I started to copy old vinyl to your computer using Sound Forge Audio Studio 9 and save the .wav files.  The problem is that SOME of the recorded files appear in the WMP library with a length of vacuum and "0 Kbps" as the bitrate (but they are still very well).  There seems to be no rhyme or reason for it - today, I copied an album with 10 titles and 7 & 8 track numbers show, but the other tracks do not show a length.  In addition to the missing length and bitrate 0, each of these files also seems to be displayed with an incorrect size in the library.

    When I view the file properties in Windows, they all look identical with a bit of RRSP 1411 Kbps (everything else is the same too).

    Wait - it gets even more strange!  I just sent this folder on the network to another computer as XP with WMP11.  The WMP library on this computer now displays the titles 1, 2 & 5 correctly, but all others are wrong (including two tracks that showed on the first computer.  Note that these files have not changed anyway I just make a copy to the network location.

    Anyone know what is happening and how to fix it?  Thanx

    In general when I saw mistakes like that it is because the information in the file was written to the header file in a non-standard way. I would try using freeware application Saver WAV, which is generally used to retrieve audio from damaged disks, but also works well to correct errors in files audio .wav.

  • I inadvertently uninstalled the clock of my gadgets. How can I get that back? It is not in my trash and, also, for some reason, the system restore at some point before uninstalling has still not successful.

    What is an "organization"?

    To restore gadgets by default, which includes the clock using the following steps:

    Right-click on an empty area in the Windows pane, and then click Properties
    Click Restore gadgets installed with Windows
    Click OK. Ramesh Srinivasan, Microsoft MVP [Windows Desktop Experience]

  • Im not able to download the trial for some reason cs6 any...

    He opens the box to Adobe's Air... I agree... and nothing happens.  Any ideas?  I cleaned history, temporary files, cookies and restarted the computer.

    Adobe Download Troubleshooting Wizard

    Mylenium

  • Printable connected HP of the site does not

    Printable connected HP site has not worked.

    It loads for a long time, then said "this page has a redirect loop.

    Then, I can not the site of platelets.

    I tried to use Google Chrome, Safari, Opera, and none of them worked.

    This is my first time using printable cards.

    Hi thirtyonem,

    Just to be sure, I checked out the site - it opens easily. You have a problem with your internet connection. Just so that we're both on the same page, here is the intro for HP printable page:

    http://support.HP.com/us-en/document/c03614219

    One thing you want to make sure of is a web-compatible printer. Yes, printer. Here is a list of printers that support HP printable:

    http://support.HP.com/us-en/document/c02814760

    I hope this helps.

    I work on behalf of HP.

  • Unable to pass traffic between ASA Site to Site VPN Tunnel

    Hello

    I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

    I've also attached the ASA5505 config and the ASA5510.

    This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

    Thank you

    Adam

    Hello

    Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

     access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*

    Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

    So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

    I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

    THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

    -Jouni

  • ASA ASA from Site to Site VPN IPSec Tunnel

    Any help would be greatly appreciated...

    I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.

    Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24

    Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24

    Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.

    Internet access works very well in all workstations of this site.  A static route is configured to redirect all traffic to a public router upstream.

    Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address.  A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA.  A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253.  This device then performs its own private Public NAT.  Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)

    The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24).  The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254).  The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem.  However, all traffic passing on networks ICMP does not end and the Syslog reports the following-

    Site #1-

    6 January 19, 2011 15:27:21 302020 ZEFF-SB-01_LAN 1 10.1.1.51 0 Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1
    6 January 19, 2011 15:27:23 302021 10.1.1.51 0 ZEFF-SB-01_LAN 1 Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

    Site #2-

    6 January 19, 2011 15:24:47 302020 10.1.1.51 0 10.0.0.30 1 Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1
    6 January 19, 2011 15:24:49 302021 10.0.0.30 1 10.1.1.51 0 Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP

    It's the same for any form of traffic passing over the tunnel.  The ACL is configured to allow segments of LAN out to any destination.  At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).

    Anyone can shed light on a possible cause of this problem?

    Thank you

    Nick

    did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?

    Please provide the following information

    -set up the tunnel

    -show the isa cry his

    -show the ipsec cry his

    -ping of the site 1 site 2 via tunnel

    -capture "crypto ipsec to show his" once again

    -ping from site 2 to 1 by the tunnel of the site

    -capture "crypto ipsec to show his" once again

    -two ASA configuration.

  • Easy VPN between two ASA 9.5 - Split tunnel does not

    Hi guys,.

    We have set up a site to site vpn using easy configuration vpn between ver 9.5 race (1) two ASA. The tunnels are up and ping is reached between sites. I also configured split tunnel for internet traffic under the overall strategy of the ASA easy vpn server. But for some unknown reason all the customer same internet traffic is sent to the primary site. I have configured NAT to relieve on the side of server and client-side. Please advise if no limitation so that the installation program.

    Thank you and best regards,

    Arjun T P

    I have the same question and open a support case.

    It's a bug in the software 9.5.1. See the bug: CSCuw22886

  • Internet access with VPN Client to ASA and full effect tunnel

    I'm trying to migrate our concentrator at our new 5520 s ASA. The concentrator has been used only for VPN Client connections, and I have not the easiest road. However, I, for some reason, can't access to internet through our business network when I've got profiles with lots of tunneling.

    I've included the configuration file, with many public IP information and omitted site-to-site tunnels. I left all the relevant stuff on tunnel-groups and group strategies concerning connectivity of VPN clients. The range of addresses that I use for VPN clients is 172.16.254.0/24. The group, with what I'm trying to access the internet "adsmgt" and the complete tunnel to our network part is fine.

    As always, any help is appreciated. Thank you!

    Hüseyin... good to see you come back.. bud, yes try these Hüseyin sugesstiong... If we looked to be ok, we'll try a different approach...

    IM thinking too, because complete tunnel is (no separation) Jim ASA has to go back for the outbound traffic from the internet, a permit same-security-traffic intra-interface, instruction should be able to do it... but Jim start by Hüseyin suggestions.

    Rgds

    Jorge

  • ASA to 1841 VPN Tunnel

    Hello

    I am trying to establish a VPN tunnel from site to site between 2 offices. An agency has a Cisco 1841 and the other a pair of ASA 5510. I get the tunnel to establish without problem. The problem is that traffic will the intended to the ASA 1841 will not encrypt to this particular tunnel. I get decaps on the session, but no program. I've reconfigured the tunnel several times but keep getting the same result:

    Interface: FastEthernet0/1
    The session state: UP-ACTIVE
    Peer: 202.41.148.5 port fvrf 500: (none) ivrf: (none)
    Phase1_id: 202.41.148.5
    DESC: (none)
    IKE SA: local 81.218.42.130/500 remote 202.41.148.5/500 Active
    Capabilities: (None) connid:98 life time: 23:45:02
    FLOW IPSEC: allowed ip 192.168.5.0/255.255.255.0 10.0.96.0/255.255.240.0
    Active sAs: 2, origin: card crypto
    On arrival: dec #pkts'ed 17 drop 0 life (KB/s) 4569995/2704
    Outbound: #pkts enc'ed drop 0 0 life (KB/s) 4569996/2704

    Any suggestions would be greatly appreciated.

    Andy

    Your ACL 100 is not exempt traffic 192.168.5.0-> 10.0.96.0 of the NAT process.  Please add the line below above the permit statement and test again.

    access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255

  • ASA 5510 VPN multiple tunnels through different interfaces

    Is it possible to create VPN tunnels on more than one interface to an ASA (specifically 5510 with 8.4), or I'm doing the impossible?

    We have 2 public interfaces on our ASA connected to 2 different suppliers.

    We must work L2L tunnels of the SAA for remote offices through the interface that is our ISP 'primary' and also used as our default gateway for internet traffic.

    We are trying to install a remote office use our secondary connection for its tunnel (office of high traffic we would prefer separate away from the rest of our internet and VPN traffic).

    I can create the tunnel with the ACL appropriate for traffic tunnel, card crypto, etc., put in place a static route to force ASA to use the secondary interface for traffic destined for the public of the remote gateway IP address, and when I finished, traffic initiated by the remote site will cause the tunnel to negotiate and find - I can see the tunnel in Show crypto ikev1 his as L2L answering machine MM_ACTIVE , Show ipsec his with the right destination and correct traffic local or remote identities for interesting, but the ASA local never tries to send traffic through the tunnel.  If I use tracers of package, it never shows a VPN that is involved in the trafficking of the headquarters in the remote desktop, as if the SAA is not seeing this as for the corresponding VPN tunnel traffic.

    If I take the exact same access and crypo card statements list and change them to use the primary ISP connection (and, of course, change the remote desktop IP connects to), then the connection works as expected.

    What Miss me?

    Here is a sample of the VPN configuration: (PUBLIC_B is our second ISP link, 192.168.0.0/23 is MainOffice 192.168.3.0/24 is FieldOffice)

    permit access list range 192.168.0.0 PUBLIC_B_map 255.255.254.0 192.168.3.0 255.255.255.0

    NAT (Inside, PUBLIC_B) static source MainOffice MainOffice static FieldOffice FieldOffice

    card crypto PUBLIC_B_map 10 corresponds to the address PUBLIC_B_map

    card crypto PUBLIC_B_map 10 set counterpart x.x.x.x

    card crypto PUBLIC_B_map 10 set transform-set ESP-3DES-SHA ikev1

    PUBLIC_B_map PUBLIC_B crypto map interface

    tunnel-group x.x.x.x type ipsec-l2l

    tunnel-group ipsec-attributes x.x.x.x

    IKEv1 pre-shared-key *.

    Route PUBLIC_B x.x.x.32 255.255.255.224 y.y.y.y 1

    If I take this same exact configuration and change it to use PUBLIC (our primary connection) instead of PUBLIC_B, remove the instruction PUBLIC_B route and change the desktop to point to the ip address of the PUBLIC, then everything works, so my access list and crypto map statements must be correct.

    What I don't understand is why the ASA Head Office does not seem to recognize interesting for the tunnel traffic when the tunnel is for the second ISP connection, but works when it is intended for the main ISP.  There is no problem of connectivity with the ISP Internet B - as mentioned previously, the tunnel will come and negotiate properly when traffic is started from the desktop, but the traffic of main office is never sent to the bottom of the tunnel - it's as if the ASA does not think that traffic of 192.168.0.x to 192.168.3.x should pass through the VPN.

    Any ideas?

    Hello

    I think your problem is that there is no route for the actual remote network behind the VPN L2L through ISP B connection

    You could try adding add the following configuration

    card crypto PUBLIC_B_map 10 the value reverse-road

    This should automatically add a static route for all remote networks that are configured in the ACL Crypto, through the interface/link-ISP B.

    If this does not work, you can try to manually add a static route to the ISP B link/interface for all remote networks VPN L2L in question, and then try again.

    The route to the remote VPN peer through the ISP B does not to my knowledge.

    I would like to know if it works for you.

    It may be useful

    -Jouni

Maybe you are looking for

  • Error in RE Device Manager. C6380

    HP Photosmart C6380 all-in-One Windows XP 32-bit SP3 Have uninstall the software and re installed In the device under the Imaging Device Manager check the properties and get this message. Windows cannot start this hardware device because its informat

  • How can I disable LAN when I connect to wefi? __

    WIFI, I can't map when you are connected to the local network, how can I disable it said long enough to map and then turn it back on

  • all laserjet printers: print

    Hello, Mr President I used to win 7 ser professional pack 1, but I've upgraded internet 11 dose not print in ie11 all hp LaserJet printers, so please solution for this pro. Thank you

  • Multiple display problem.

    It's him, my portable native screen resolution is 1920 x 1200, I know how to change the value, the wreck of what I want.  I connected a mini projector that I got the other day.  Avol APJ15V mini Pocket projector.  Its native resolution is 800 x 600 w

  • investigation of memory stick for SL500 27466AC

    Good evening, dear friends, I am in perplexity if someone could advise me if the slot memory SL500 27466AC supports the Kingston "KVR667D2S5 / 1 G ' memory stick, specification, seems to be same with the statement on the official website as 'PC2-5300