Yes... I know... I still have a PIX in the field. It should be replaced with a new Check Point firewall this year but till then I have an issue I can't seem to resolve.
I'm able to get phase 1 and 2 up without issue but unless there is activity I the tunnel dies completely; including phase 1. Only way to bring it back is using packet-tracer. Looking everywhere Google brings me to doing searches I've tried everything I can find with no resolve yet.
The office PIX in this scenario can ping the colo1 host of 10.16.64.25 without issue yet when I configure a sla monitor to use the inside interface the timeout comes back as 'TRUE' when looking at the operational state of the sla monitor. What am I missing?
Colo1 ASA configuration related to this tunnel
object-group network ogn-colo1-office-local network-object object on-10.16.64.0-19 object-group network ogn-colo1-office-remote network-object object on-10.50.13.0-24 network-object object on-10.50.15.0-24 object-group network ogn-colo1-office-local-gp network-object object on-10.16.64.25 network-object object on-10.16.94.0-23 access-list acl-colo1-office-cm extended permit ip object-group ogn-colo1-office-local object-group ogn-colo1-office-remote access-list acl-colo1-office-gp extended permit ip object-group ogn-colo1-office-remote object-group ogn-colo1-office-local-gp access-list acl-colo1-office-gp extended deny ip any4 any4 nat (any,any) source static ogn-colo1-office-local ogn-colo1-office-local destination static ogn-colo1-office-remote ogn-colo1-office-remote no-proxy-arp crypto map outside_map 30 match address acl-colo1-office-cm crypto map outside_map 30 set peer OFFICE.OUTSIDE.I.P crypto map outside_map 30 set ikev1 transform-set ESP-AES-192-SHA-HMAC crypto map outside_map 30 set security-association lifetime seconds 28800 crypto map outside_map 30 set security-association lifetime kilobytes 4608000 group-policy gp-colo1-office internal group-policy gp-colo1-office attributes vpn-filter value acl-colo1-office-gp tunnel-group OFFICE.OUTSIDE.I.P type ipsec-l2l tunnel-group OFFICE.OUTSIDE.I.P general-attributes default-group-policy gp-colo1-office tunnel-group OFFICE.OUTSIDE.I.P ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive threshold 10 retry 10
Office PIX configuraiton related to this tunnel
object-group network ogn-office-colo1-local group-object ogn-10.50.13.0-24 group-object ogn-10.50.15.0-24 object-group network ogn-office-colo1-remote group-object ogn-10.16.64.0-19 object-group network ogn-office-colo1-remote-gp group-object ogn-10.16.64.25 group-object ogn-10.16.94.0-23 access-list nonat extended permit ip object-group ogn-office-colo1-local object-group ogn-office-colo1-remote access-list acl-office-colo1-cm extended permit ip object-group ogn-office-colo1-local object-group ogn-office-colo1-remote access-list acl-office-colo1-gp extended permit ip object-group ogn-office-colo1-remote-gp object-group ogn-office-colo1-local access-list acl-office-colo1-gp extended deny ip any any crypto map newmap 30 match address acl-enn-colo1-cm crypto map newmap 30 set peer COLO1.OUTSIDE.I.P crypto map newmap 30 set transform-set ESP-AES-192-SHA-HMAC group-policy gp-office-colo1 internal group-policy gp-office-colo1 attributes vpn-filter value acl-office-colo1-gp tunnel-group COLO1.OUTSIDE.I.P type ipsec-l2l tunnel-group COLO1.OUTSIDE.I.P general-attributes default-group-policy gp-office-colo1 tunnel-group COLO1.OUTSIDE.I.P ipsec-attributes pre-shared-key * isakmp keepalive threshold 10 retry 10
No comments:
Post a Comment