This topic is to discuss the following lesson:
Config remote tunnel with Dynamic IP to Datacenter static IP (ASA 5520)
Hi Rene !
Are you using GNS3 beacuase i have some truoble to get the config saved. After i reopen it doesnt stay.
I use Cisco VIRL for pretty much all labs nowadays, including the ASA labs.
Thats great Rene .Thx
How are you? I have similar topology at work and issue we see is remote end db servers SQL db servers makes call to collect logs from home office SQL db server and sometimes it droops. End to end host connectivity is there as well as IPSEC is all up, VPN is up too. Even I see net flow via LIVE action network analyzer tool.
From home office ASA 5505, I have loggedout /in site to site vpn session which reestablishes with in 30 se . ASDM packet tracer would isolate issue ? I am not sure if that could be something high on CPU or memory to spike ?
Would Clear connection and clear xlate would help?
is it service affecting event?
Is there any other test or troubleshooting would you suggest on intermittent drop like this?
Any update on my post above? I am trying to isolate issue that customer server is sending calls to SQL sever at home office and it gets error message on server side at customer end that connections has failed, and call has not completed , 3 call out of 1000 does that however it is important to isolate this issue.
Are you still having issues?
Something you might want to check is if you have SQL inspection enabled on your ASA. I’ve had issues with this before with Oracle database servers. This is something you could see in ASDM packet tracer. In my case I noticed some unusual TCP sessions that were resetted immediately.
Thank you for update. I missed this question you posted. sorry for delay in reply.
Issue got resolved.
I am using GNS3 ASAv for above lab. configuration is perfectly fine however vpn would not come up. There is a warning message I see on GNS3 as below. Not sure if that is reason or something else. Can you assiste?
Warning: ASAv platform license state is Unlicensed. Install ASAv platform license for full functionality.
You can ignore this message, it shows up all the time on my ASAv devices that I run in Cisco VIRL.
Have you tried packet-tracer yet to see if it gives you any information why the VPN is not working?
Is this topology is the peering IP of IPsec must be in the same network ?
No, the peering addresses don’t have to be the same. The only prerequisite is that the outside IP addresses of the Internet facing interfaces should be able to have network connectivity between them.
I hope this has been helpful!
After adding: crypto map Outside_map 1 set ikev1 phase1-mode aggressive
My tunnel dropped and stopped working.
HomeASA(config)# show version Cisco Adaptive Security Appliance Software Version 9.1(7)16 Device Manager Version 7.7(1)150 Compiled on Thu 30-Mar-17 17:39 by builders System image file is "disk0:/asa917-16-k8.bin" Config file at boot was "startup-config" HomeASA up 2 hours 10 mins Hardware: ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz, Internal ATA Compact Flash, 256MB BIOS Flash AT49LW080 @ 0xfff00000, 1024KB Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode : CNlite-MC-SSLm-PLUS-2.08 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09 Number of accelerators: 1
HomeASA(config)# show run object-group network object-group network FLL_DC_Networks network-object 10.158.0.0 255.255.252.0 network-object 172.16.20.0 255.255.252.0 network-object 192.168.16.0 255.255.255.0 object-group network HomeNetworks description Home LAN and WLAN network-object 10.10.250.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 network-object 192.168.3.0 255.255.255.0
HomeASA(config)# show run access-list access-list Outside_cryptomap extended permit ip object-group HomeNetworks object-group FLL_DC_Networks access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 access-list Outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object REMOTE_2 access-list Outside_cryptomap_1 extended permit ip 10.10.250.0 255.255.255.0 object REMOTE_2 access-list Outside_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 object REMOTE_2 access-list Outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object REMOTE_3 access-list Outside_cryptomap_1 extended permit ip 10.10.250.0 255.255.255.0 object REMOTE_3
HomeASA(config)# show run crypto map crypto map Outside_map 1 match address Outside_cryptomap crypto map Outside_map 1 set peer 184.108.40.206 crypto map Outside_map 1 set ikev1 phase1-mode aggressive crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map interface Outside
What do you use to identify your ASA with the dynamic IP to the remote ASA with static IP? Take a look at this example:
I use this on my dynamic peer:
crypto isakmp identity key-id ASA1_ASA2
Which matches the tunnel-group on the static IP peer:
tunnel-group ASA1_ASA2 type ipsec-l2l tunnel-group ASA1_ASA2 ipsec-attributes ikev1 pre-shared-key ASA1_ASA2_KEY
Hope this helps!