IPSEC VPN Tunnel Dropping Secondary Networks

Discussion in 'Cisco' started by NateVR, May 20, 2009.

  1. NateVR

    NateVR

    Joined:
    Aug 16, 2007
    Messages:
    9
    Setup

    Remote ASA – HQ ASA IPSec Tunnel (previously functioned the same on remote ASA and HQ PIX)

    Remote Site (remote endpoint site) – 10.21.10.0
    HQ Site (hq endpoint site) – 10.1.0.0
    Secondary Site (Alternate site, No VPN endpoint, MPLS from HQ to Secondary) – 10.4.0.0

    Issue: Remote cannot initiate traffic to Secondary. Traffic will not flow until Secondary traffic brings the connection up. This is even though the tunnel is running and established based on 10.1 traffic.

    If Secondary initiates traffic the tunnel will pass it through HQ to Remote. That connection will then stay up for x time (don’t know x). Eventually it will drop and Remote can no longer get to Secondary.

    I’m sure there is some timeout that can be changed, but I’m not sure which, and I’m not sure that it is actually needed since Remote should see traffic matching the peer and send it even if the “secondary network” connection isn’t there yet? It is all the same tunnel, it shouldn’t go up and down.

    ACL for VPN peer from Remote
    access-list inside_nat0_outbound extended permit ip any 10.1.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip any 10.4.0.0 255.255.0.0
    access-list outside_1_cryptomap extended permit ip any 10.1.0.0 255.255.0.0
    access-list outside_1_cryptomap extended permit ip any 10.4.0.0 255.255.0.0

    Troubleshooting: HQ does not receive ping traffic from Remote destined for Secondary until connection is established from Secondary, it seems the Remote ASA shuts down connection and can’t initiate it back to Secondary.

    If I run an app to do a ping every 15 minutes either way (Secondary/Remote) the connection stays up. I have heard other VPN endpoint manufacturers have ping utilities built in for keepalive, maybe to get around the same issue?

    EDIT: This is on multiple 5505 units from multiple remote sites to either HQ 5510 or PIX. Issue did not happen on PIX but a default timeout may have been modified. Is a long timeout needed for this? If so, which one, and why since the IPSEC tunnel really is always UP anyways passing traffic to and from HQ.
     
    Last edited: May 20, 2009
    NateVR, May 20, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,092
    Claude LeFort
    Nov 11, 2003
  2. Keith Hall
    Replies:
    3
    Views:
    1,398
    Keith Hall
    Dec 17, 2003
  3. a.nonny mouse
    Replies:
    2
    Views:
    1,129
  4. Trouble
    Replies:
    0
    Views:
    662
    Trouble
    Aug 4, 2006
  5. Trouble
    Replies:
    1
    Views:
    562
Loading...

Share This Page