Problema VPN IPSEC CON 2 FIREWALL ASA 5505

Cisco$ · ven 11 lug , 2008 3:21 pm

Salve a tutti!!!!!!!!

Ho un problema con una VPN ipsec tra due sedi.

ogni giorno mi cade la vpn, e ogni volta mi tocca uscire dal programma e collegarmi di nuovo per poter accedere al server.

sul server è installato windows server 2000 sui client ho windows xp o 2000 professional.

la cosa strana quando la vpn cade, riesco a pingare sia il firewall che il router dove si bloccano gli utenti.

ho anche il log degli errori che mi da il firewall quando perde la vpn:

sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: list VPN, 235366 messages logged
Monitor logging: disabled
Buffer logging: list VPN, class vpn, 235366 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, class vpn, 363561 messages logged
D R-U-THERE (seq number 0x5eea10d5)
%ASA-7-715036: Group = 81.117.204.66, IP = 81.117.204.66, Sending keep-alive of
type DPD R-U-THERE-ACK (seq number 0x5eea10d5)
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing blank has
h payload
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing qm hash p
ayload
%ASA-7-713236: IP = 81.117.204.66, IKE_DECODE SENDING Message (msgid=83e4774) wi
th payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
%ASA-7-713236: IP = 81.117.204.66, IKE_DECODE RECEIVED Message (msgid=c155b7fc)
with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
%ASA-7-715047: Group = 81.117.204.66, IP = 81.117.204.66, processing hash payloa
d
%ASA-7-715047: Group = 81.117.204.66, IP = 81.117.204.66, processing notify payl
oad
%ASA-7-715075: Group = 81.117.204.66, IP = 81.117.204.66, Received keep-alive of
type DPD R-U-THERE (seq number 0x5eea10d6)
%ASA-7-715036: Group = 81.117.204.66, IP = 81.117.204.66, Sending keep-alive of
type DPD R-U-THERE-ACK (seq number 0x5eea10d6)
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing blank has
h payload
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing qm hash p
ayload
% = 81.117.204.66, IP = 81.117.204.66, Received keep-alive of type DPD R-U-THERE
(seq number 0x5eea10da)
%ASA-7-715036: Group = 81.117.204.66, IP = 81.117.204.66, Sending keep-alive of
type DPD R-U-THERE-ACK (seq number 0x5eea10da)
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing blank has
h payload
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing qm hash p
ayload
%ASA-7-713236: IP = 81.117.204.66, IKE_DECODE SENDING Message (msgid=29b4e40b) w
ith payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
R-U-THERE (seq number 0x5eea10d7)
%ASA-7-715036: Group = 81.117.204.66, IP = 81.117.204.66, Sending keep-alive of
type DPD R-U-THERE-ACK (seq number 0x5eea10d7)
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing blank has
h payload
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing qm hash p
ayload
%ASA-7-713236: IP = 81.117.204.66, IKE_DECODE SENDING Message (msgid=7839b956) w
ith payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
%ASA-7-713236: IP = 81.117.204.66, IKE_DECODE RECEIVED Message (msgid=c99b6cf0)
with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
%ASA-7-715047: Group = 81.117.204.66, IP = 81.117.204.66, processing hash payloa
d
%ASA-7-715047: Group = 81.117.204.66, IP = 81.117.204.66, processing notify payl
oad
%ASA-7-715075: Group = 81.117.204.66, IP = 81.117.204.66, Received keep-alive of
type DPD R-U-THERE (seq number 0x5eea10d8)
%ASA-7-715036: Group = 81.117.204.66, IP = 81.117.204.66, Sending keep-alive of
type DPD R-U-THERE-ACK (seq number 0x5eea10d8)
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing blank has
h payload
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing qm hash p
ayload
%ASA-7-713236: IP = 81.117.204.66, IKE_DECODE SENDING Message (msgid=461e6ee4) w
ith payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
%ASA-7-713236: IP = 81.117.204.66, IKE_DECODE RECEIVED Message (msgid=c00b7354)
with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
%ASA-7-715047: Group = 81.117.204.66, IP = 81.117.204.66, processing hash payloa
d
%ASA-7-715047: Group = 81.117.204.66, IP = 81.117.204.66, processing notify payl
oad
%ASA-7-715075: Group = 81.117.204.66, IP = 81.117.204.66, Received keep-alive of
type DPD R-U-THERE (seq number 0x5eea10d9)
%ASA-7-715036: Group = 81.117.204.66, IP = 81.117.204.66, Sending keep-alive of
type DPD R-U-THERE-ACK (seq number 0x5eea10d9)
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing blank has
h payload
%ASA-7-715046: Group = 81.117.204.66, IP = 81.117.204.66, constructing qm hash p
ayload
%ASA-7-713236: IP = 81.117.204.66, IKE_DECODE SENDING Message (msgid=4f880712) w
ith payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

Wizard · ven 11 lug , 2008 5:19 pm

DPD sta x Death Peer Detection, in sostanza uno dei 2 x poco va giù...
Non è un problema di FW ma di:

1) linea internet
2) router internet
3) connessione tra router e ASA

Controlla anche come è impostato il isakmp keepalive x quella vpn

Cisco$ · ven 11 lug , 2008 5:49 pm

Si ti posto la configurazione dell'ASA che da gli errori:

domain-name default.domain
enable password 0NjRwmAHetszWiXd encrypted
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.227.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 88.41.126.86 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd RLPMUQ26KL4blgFN encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 151.99.125.2
name-server 151.99.125.3
domain-name default.domain
access-list inside_nat0_outbound extended permit ip 192.168.227.0 255.255.255.0
192.168.225.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.227.0 255.255.255.0 1
92.168.225.0 255.255.255.0
pager lines 24
logging enable
logging list VPN level debugging class vpn
logging list VPN message 101002
logging console VPN
logging buffered VPN
logging asdm informational
logging flash-bufferwrap
logging class vpn buffered debugging asdm debugging
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.227.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.227.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 81.117.204.66
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.227.0 255.255.255.0 inside
telnet 192.168.225.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 151.99.125.2
dhcpd lease 806000
dhcpd auto_config outside
!
dhcpd address 192.168.227.101-192.168.227.140 inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tunnel-group 81.117.204.66 type ipsec-l2l
tunnel-group 81.117.204.66 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:b2bc504a4a04e231ad35017bdeb9b45c

e questa la conf. del router 1841 connesso a questo firewall:

Using 1849 out of 196600 bytes
!
! Last configuration change at 16:34:26 UTC Thu Jul 10 2008 by service
! NVRAM config last updated at 16:35:28 UTC Thu Jul 10 2008 by service
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Autoshop_Salerno_VPN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password 7 045A06090B791D04
!
no aaa new-model
ip cef
!
!
!
!
ip domain name yourdomain.com
username service password 7 045A06090B791D
!
!
!
interface FastEthernet0/0
description data ist 4 sett 2007
ip address 88.41.126.81 255.255.255.248
duplex auto
speed auto
no keepalive
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
ip address 88.39.246.221 255.255.255.252
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
!
ip route 0.0.0.0 0.0.0.0 ATM0/0/0.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
control-plane
!
banner motd ^CCCCCCC#

^C
!
line con 0
login local
line aux 0
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
end

Fammi sapere.

Grazie

Cisco$ · ven 11 lug , 2008 7:38 pm

Poi un altra cosa strana che ho notato, quando non c'è traffico tra le due sedi la vpn sui firewall si spegne, per poi riaccendersi se uno prova a fare un telnet o un ping o a collegarsi al programma.

Può darsi che manca un comando sul firewall per far si che la VPN rimanga sempre su?

Cosa ne pensi?

Il problema che ho principalmente è proprio questo.

RJ45 · sab 12 lug , 2008 8:45 am

Cisco$ ha scritto:Poi un altra cosa strana che ho notato, quando non c'è traffico tra le due sedi la vpn sui firewall si spegne, per poi riaccendersi se uno prova a fare un telnet o un ping o a collegarsi al programma.

E' normale!

If no traffic has passed through the tunnel during the entire life of the SA, a new SA is not negotiated when the lifetime expires. Instead, a new SA will be negotiated only when IPsec sees another packet that should be protected.

Cisco$ · sab 12 lug , 2008 9:14 am

Si ma cosi mi tocca di nuovo collegarmi al programma.

xchè mi dà errore connessione con il server.

non credo sia normale.

RJ45 · sab 12 lug , 2008 12:49 pm

Guarda,

non ho ben capito nello specifico il tuo problema, ma posso assicurarti che se non fai traffico verso la lan remota per un intero lifetime la vpn va giù eccome, salvo poi ripristinarsi quando necessario.

Probabilmente c'è un problema di connettività discontinua, ed il tuo programma rimane 'appeso' perchè qualcosa si perde.

Cisco$ · sab 12 lug , 2008 2:27 pm

si

perchè poi dopo mi tocca ricollegarmi di nuovo.

perde la connetività col server.

quindi non arrivano + dati

il problema cmq lo fà anche quando (non sempre però) si stà lavorando normalmente.

Cmq il fatto lo fà principalmente quando ci sono momenti di pausa. durante la pausa pranzo, e mentre si lavora 2 o 3 volte al giorno.

Mi sembra strano che la VPN và giù cosi, io prima avevo dei firewall digicom è questo non succedeva.

O questa cosa la fanno tutti i firewall?

Cisco$ · lun 14 lug , 2008 9:58 am

Nessuno che mi può aiutare?

Wizard · lun 14 lug , 2008 10:04 am

Di default ogni 8 ore la vpn fa il re-key (si riscambia le chiavi) e se non c'è traffico attivo (basta un ping) la vpn cade!
Se vuoi puoi aumentare il lifetime della vpn

Cisco$ · lun 14 lug , 2008 10:08 am

ora credo che sia impostato su tutte e due i firewall su 86400

quanto dovrei mettere secondo te?

lo devo cambiare anche sui router?

Grazie

Wizard · lun 14 lug , 2008 10:51 am

No mettilo solo sugli ASA
86400 secondi sono 24 ore...prova a metterlo a 48 ore...

Cisco$ · lun 14 lug , 2008 10:59 am

si

ma 48 ore corrispondono 172800

quindi devo mettere lifetime 172800?

l'altro comando si modifica quando ci metto questo, lo devo mettere 2 volte visto che sulla conf. compare 2 volte se hai visto pure tu?

Grazie

Wizard · lun 14 lug , 2008 11:05 am

172800 si
Impostalo solo sulla crypto map che ti serve (chiaramente su entrambi i FW).
Anh, la vpn molto probabilmente cadrà durante la modifica...

Cisco$ · lun 14 lug , 2008 11:32 am

scusa

allora cosi:

crypto isakmp policy 10
lifetime 172800

crypto isakmp policy 30
lifetime 172800

giusto?

non vorrei combinare casini.

grazie

Problema VPN IPSEC CON 2 FIREWALL ASA 5505

Login • Iscriviti