Announcement

Collapse
No announcement yet.

ASA 5505 RA VPN Intermittent Traffic

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5505 RA VPN Intermittent Traffic

    I am trying to configure a remote access VPN on a Cisco ASA 5505 so users can connect and access exchange services published on an ISA server on the DMZ subnet.

    Clients can successfully connect and obtain an IP address but the connection is unreliable and it seems like packets are dropping.

    Using Wireshark on the client after the connection is established when I request a web page that exists on a server in the DMZ I can see a 3-way handshake, sometimes I can see data coming back, sometimes not. Sometimes the client recieves a response to the DNS requests sometimes not.

    When I use Wireshark on the outside interface of the ASA I can see ESP traffic going back and forth but sometimes the ASA just stops responding for a while and all I see is the ESP traffic from the client.

    If I wait long enough and refresh the web page enough times about half of it will load.

    Below is the running config, it is mostly the default config with a few modifications to the DefaultRAGroup profile. Using Radius and certificates for authentication.

    Any and all help greatly appreciated. Happy New Year!

    Code:
    hostname# sh run
    : Saved
    :
    ASA Version 8.2(1)
    !
    hostname hostname
    domain-name domain.tld
    enable password ZZZZZZZZZZZ encrypted
    passwd ZZZZZZZZZZZ encrypted
    names
    !
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.100.1 255.255.255.0
    !
    interface Vlan2
     nameif outside
     security-level 0
     ip address xxx.xxx.xxx.xxx 255.255.255.0
    !
    interface Vlan5
     no forward interface Vlan1
     nameif dmz
     security-level 50
     ip address 192.168.250.1 255.255.255.0
    !
    interface Ethernet0/0
     switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
     switchport access vlan 5
    !
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns server-group DefaultDNS
     domain-name domain.tld
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip local pool VPNPOOL 192.168.200.100-192.168.200.200 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (dmz) host 192.168.250.2
     key ZZZZZZZ
     authentication-port 1812
     accounting-port 1813
     radius-common-pw ZZZZZZZ
    http server enable
    http 192.168.100.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint CERTIFICATE
     enrollment terminal
     crl configure
    crypto ca certificate chain CERTIFICATE
     certificate ZZZZZZZZZZZ
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
      quit
     certificate ca ZZZZZZZZZZ
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
        XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
      quit
    crypto isakmp enable outside
    crypto isakmp policy 5
     authentication rsa-sig
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 10
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 65535
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.168.100.5-192.168.100.36 inside
    dhcpd enable inside
    !
    
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DfltGrpPolicy attributes
     dns-server value 192.168.250.3
    tunnel-group DefaultRAGroup general-attributes
     address-pool VPNPOOL
     authentication-server-group RADIUS
     password-management
    tunnel-group DefaultRAGroup ipsec-attributes
     trust-point CERTIFICATE
     isakmp keepalive disable
    tunnel-group DefaultRAGroup ppp-attributes
     authentication ms-chap-v2
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:db4ac2c3be31a7cdd10af77a47e6f370
    : end

  • #2
    Re: ASA 5505 RA VPN Intermittent Traffic

    Problem resolved. Faulty switch. Carry on.

    Comment


    • #3
      Re: ASA 5505 RA VPN Intermittent Traffic

      Thanks for posting back!
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment

      Working...
      X