I have an IPsec site-site VPN set up and working, however I'm having problems once the connection has been established for over an hour. After an hour ASDM still thinks the VPN is connected and the connection duration continues to increment, however as soon as UI try to send data down it the tunnel gets torn down and recreated along with a rst packet sent from our firewall to the client machine on our network. I've turned logging on and the following two lines look the most interesting:
Session Disconnected. ... Reason: crypto map policy not found...Connection terminated for peer 213.123.59.222. Reason: Peer Terminate Remote Proxy 78.129.136.64, Local Proxy 171.28.18.50The 213.123.59.222 is their external ip for the checkpoint box, 78.129.136.64 is a machine on our local network sending the data, and 171.28.18.50 is a machine on their network I'm trying to send data to.
My timeout config is as follows:
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02group-policy DfltGrpPolicy attributes vpn-idle-timeout 180 vpn-tunnel-protocol IPSec svc I'd like to understand if the problem is config on ours (ASA5505) or the customers firewalls (Checkpoint). Is there anything else I can check my side before I get in touch with them?
Update: When I do show configuration my access lists and crypto maps are as follows (sorry if there's missing lines and funny names like 'bob', I'm a little out of my depth and found it a bit trial and errorish setting the VPN up!):
access-list basic extended permit tcp any any eq 3389 access-list basic extended permit tcp any any eq ssh access-list basic extended permit tcp any any eq www access-list basic extended permit tcp any any eq https access-list basic remark MySQLaccess-list basic extended permit tcp any any eq 3306 access-list allow extended permit ip any any access-list NoNAT extended permit ip 78.129.136.64 255.255.255.240 10.199.2.0 255.255.255.0 access-list SiteAtoSiteB extended permit ip 78.129.136.64 255.255.255.240 10.199.2.0 255.255.255.0 access-list SiteAtoSiteB extended permit tcp 78.129.136.64 255.255.255.240 host 171.28.18.50 eq telnet access-list bob standard permit host 171.28.18.50 ...crypto map SiteToSiteVPN 10 match address SiteAtoSiteBcrypto map SiteToSiteVPN 10 set pfs crypto map SiteToSiteVPN 10 set peer 213.123.59.222 crypto map SiteToSiteVPN 10 set transform-set SiteAToSiteBtransformcrypto map SiteToSiteVPN 10 set security-association lifetime seconds 28800crypto map SiteToSiteVPN 10 set security-association lifetime kilobytes 4608000crypto map SiteToSiteVPN interface OutsideSorry, I think I misunderstood Shane's comment, perhaps this info was in the error statement. The logging statements generated when the first piece of data after an hr is sent is:
Teardown local-host Outside:171.28.18.50 duration 1:59:35Teardown TCP connection 27792859 for Outside:171.28.18.50/23 to Inside:78.129.136.66/48572 duration 1:59:35 bytes 86765 Tunnel has been torn downIgnoring msg to mark SA with dsID 72404992 dead because SA deletedGroup = 213.123.59.222, Username = 213.123.59.222, IP = 213.123.59.222, Session disconnected. Session Type: IPsec, Duration: 1h:59m:53s, Bytes xmt: 45646, Bytes rcv: 53194, Reason: crypto map policy not foundPitcher: received key delete msg, spi 0xf025f6bPitcher: received key delete msg, spi 0x7447991fPitcher: received key delete msg, spi 0x7447991fIP = 213.123.59.222, IKE_DECODE SENDING Message (msgid=27f78398) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80Group = 213.123.59.222, IP = 213.123.59.222, constructing qm hash payloadGroup = 213.123.59.222, IP = 213.123.59.222, constructing IKE delete payloadGroup = 213.123.59.222, IP = 213.123.59.222, constructing blank hash payloadIPSEC: An outbound LAN-to-LAN SA (SPI= 0x0F025F6B) between 87.117.211.90 and 213.123.59.222 (user= 213.123.59.222) has been deleted.IPSEC: An inbound LAN-to-LAN SA (SPI= 0x7447991F) between 87.117.211.90 and 213.123.59.222 (user= 213.123.59.222) has been deleted.Group = 213.123.59.222, IP = 213.123.59.222, sending delete/delete with reason messageGroup = 213.123.59.222, IP = 213.123.59.222, IKE SA MM:a6daae8d terminating: flags 0x01000002, refcnt 0, tuncnt 0Group = 213.123.59.222, IP = 213.123.59.222, IKE SA MM:a6daae8d rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0Group = 213.123.59.222, IP = 213.123.59.222, IKE Deleting SA: Remote Proxy 171.28.18.50, Local Proxy 78.129.136.64Group = 213.123.59.222, IP = 213.123.59.222, Active unit receives a delete event for remote peer 213.123.59.222.Group = 213.123.59.222, IP = 213.123.59.222, Connection terminated for peer 213.123.59.222. Reason: Peer Terminate Remote Proxy 78.129.136.64, Local Proxy 171.28.18.50Group = 213.123.59.222, IP = 213.123.59.222, processing deleteGroup = 213.123.59.222, IP = 213.123.59.222, processing hash payloadIP = 213.123.59.222, IKE_DECODE RECEIVED Message (msgid=b3da5da4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68Built inbound UDP connection 27794863 for Outside:213.123.59.222/500 (213.123.59.222/500) to identity:87.117.211.90/500 (87.117.211.90/500)Built local-host Outside:213.123.59.222
