Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peer

(Rene Molenaar) #1

This topic is to discuss the following lesson:

Config remote tunnel with Dynamic IP to Datacenter static IP (ASA 5520)
(Oskar N) #2

Hi Rene !

Are you using GNS3 beacuase i have some truoble to get the config saved. After i reopen it doesnt stay.


(Rene Molenaar) #3

Hi Oskar,

I use Cisco VIRL for pretty much all labs nowadays, including the ASA labs.


(Mohammad Hasanuz Zaman) #4

Thats great Rene .Thx

(Shraddha P) #5

Hi, Rene
How are you? I have similar topology at work and issue we see is remote end db servers SQL db servers makes call to collect logs from home office SQL db server and sometimes it droops. End to end host connectivity is there as well as IPSEC is all up, VPN is up too. Even I see net flow via LIVE action network analyzer tool.

From home office ASA 5505, I have loggedout /in site to site vpn session which reestablishes with in 30 se . ASDM packet tracer would isolate issue ? I am not sure if that could be something high on CPU or memory to spike ?
Would Clear connection and clear xlate would help?
is it service affecting event?
Is there any other test or troubleshooting would you suggest on intermittent drop like this?

Thank you

(Shraddha P) #6

Hi, Rene
Any update on my post above? I am trying to isolate issue that customer server is sending calls to SQL sever at home office and it gets error message on server side at customer end that connections has failed, and call has not completed , 3 call out of 1000 does that however it is important to isolate this issue.

(Rene Molenaar) #7

Hi Shraddha,

Are you still having issues?

Something you might want to check is if you have SQL inspection enabled on your ASA. I’ve had issues with this before with Oracle database servers. This is something you could see in ASDM packet tracer. In my case I noticed some unusual TCP sessions that were resetted immediately.


(Shraddha P) #8

Hi Rene
Thank you for update. I missed this question you posted. sorry for delay in reply.
Issue got resolved.

Thank you

(Shraddha P) #9

Hi Rene,

I am using GNS3 ASAv for above lab. configuration is perfectly fine however vpn would not come up. There is a warning message I see on GNS3 as below. Not sure if that is reason or something else. Can you assiste?

Warning: ASAv platform license state is Unlicensed.
Install ASAv platform license for full functionality.

(Rene Molenaar) #10

Hi Shraddha,

You can ignore this message, it shows up all the time on my ASAv devices that I run in Cisco VIRL.

Have you tried packet-tracer yet to see if it gives you any information why the VPN is not working?

(Heng S) #11

Hi Rene
Is this topology is the peering IP of IPsec must be in the same network ?

(Lazaros Agapides) #12

Hello Heng

No, the peering addresses don’t have to be the same. The only prerequisite is that the outside IP addresses of the Internet facing interfaces should be able to have network connectivity between them.

I hope this has been helpful!


(Adrian W) #13

After adding: crypto map Outside_map 1 set ikev1 phase1-mode aggressive
My tunnel dropped and stopped working.


HomeASA(config)# show version
Cisco Adaptive Security Appliance Software Version 9.1(7)16
Device Manager Version 7.7(1)150
Compiled on Thu 30-Mar-17 17:39 by builders
System image file is "disk0:/asa917-16-k8.bin"
Config file at boot was "startup-config"
HomeASA up 2 hours 10 mins
Hardware: ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNlite-MC-SSLm-PLUS-2.08
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
Number of accelerators: 1


HomeASA(config)# show run object-group network
object-group network FLL_DC_Networks
object-group network HomeNetworks
description Home LAN and WLAN


HomeASA(config)# show run access-list
access-list Outside_cryptomap extended permit ip object-group HomeNetworks object-group FLL_DC_Networks
access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list Outside_cryptomap_1 extended permit ip object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip object REMOTE_3
access-list Outside_cryptomap_1 extended permit ip object REMOTE_3

Crypto map:

HomeASA(config)# show run crypto map
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer
crypto map Outside_map 1 set ikev1 phase1-mode aggressive
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map Outside_map interface Outside

(Rene Molenaar) #14

Hi Adrian,

What do you use to identify your ASA with the dynamic IP to the remote ASA with static IP? Take a look at this example:

I use this on my dynamic peer:

crypto isakmp identity key-id ASA1_ASA2

Which matches the tunnel-group on the static IP peer:

tunnel-group ASA1_ASA2 type ipsec-l2l
tunnel-group ASA1_ASA2 ipsec-attributes
ikev1 pre-shared-key ASA1_ASA2_KEY

Hope this helps!