Question : Problem: we have a ASA5505 connecting to a ASA5520. the asa5505 drop links and no traffic can pass over the vpn

we have a ASA5505 connecting to a ASA5520. the asa5505 drop links and no traffic can pass over the vpn. Have to log into the asa5505 on external interface and reload it. This then solves the problem. Behine the ASA5502 are three sateliites.



ASA Version 7.2(4)
!
hostname ciscoasa
domain-name domain.com.au
enable password
passwd
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.*.*.8 255.255.255.248
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 58.*.*.113 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
 speed 10
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone WST 8
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 10.230.0.1
 domain-name domain.com.au
same-security-traffic permit intra-interface
access-list OUTSIDE-ACCESS-IN extended permit tcp any host 58.*.*.113 eq ssh
access-list OUTSIDE-ACCESS-IN extended permit tcp any host 58.*.*.113 eq telnet
access-list nonat extended permit ip 10.250.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip host 192.*.*.8 host 10.230.0.224
access-list nonat extended permit ip host 192.*.*.8 host 10.200.0.21
access-list nonat extended permit ip host 58.*.*.113 host 10.200.0.21
access-list VPNtoDC extended deny ip 192.*.*.0 255.255.255.248 10.202.0.0 255.255.0.0
access-list VPNtoDC extended deny ip 10.250.0.0 255.255.0.0 10.202.0.0 255.255.0.0
access-list VPNtoDC extended permit ip 10.250.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list VPNtoDC extended permit ip 10.250.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list VPNtoDC extended permit ip 10.250.3.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list VPNtoDC extended permit ip 10.250.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list VPNtoDC extended permit ip host 192.*.*.8 host 10.230.0.224
access-list VPNtoDC extended permit ip host 58.*.*.113 host 10.200.0.21
access-list INSIDE-IN extended permit ip any any
access-list OUTSIDE-IN extended permit ip host 203.*.*.74 interface outside
access-list OUTSIDE-IN extended permit tcp host 203.*.*.65 host 58.*.*.113 eq ssh
access-list OUTSIDE-IN extended permit tcp host 218.*.*.186 host 58.*.*.113 eq ssh
access-list OUTSIDE-IN extended deny ip any any log
access-list VPN-TO-202 extended permit ip 10.250.0.0 255.255.0.0 10.202.0.0 255.255.0.0
access-list test extended permit tcp 10.250.3.0 255.255.255.0 any eq domain log
access-list test extended permit udp 10.250.3.0 255.255.255.0 any eq domain log
access-list test extended permit tcp 10.250.3.0 255.255.255.0 any eq 445 log
access-list test extended permit tcp 10.250.3.0 255.255.255.0 any eq netbios-ssn log
access-list test extended permit tcp 10.250.1.0 255.255.255.0 any eq domain log
access-list test extended permit udp 10.250.1.0 255.255.255.0 any eq domain log
access-list test extended permit tcp 10.250.3.0 255.255.255.0 any log
access-list test extended permit udp 10.250.3.0 255.255.255.0 any log
access-list test extended permit ip any any
access-list test1 extended permit tcp any eq 445 10.250.3.0 255.255.255.0 log
access-list test1 extended permit tcp any eq netbios-ssn 10.250.3.0 255.255.255.0 log
access-list test1 extended permit tcp any 10.250.3.0 255.255.255.0 log
access-list test1 extended permit udp any 10.250.3.0 255.255.255.0 log
access-list test1 extended permit ip any any
access-list test2 extended permit ip host 10.220.10.62 host 10.250.1.10
access-list test2 extended permit ip host 10.250.1.10 host 10.220.10.62
access-list test2 extended permit ip host 10.220.10.62 host 10.250.2.10
access-list test2 extended permit ip host 10.250.2.10 host 10.220.10.62
access-list test2 extended permit ip host 10.220.10.62 host 10.250.3.10
access-list test2 extended permit ip host 10.250.3.10 host 10.220.10.62
access-list test2 extended permit ip host 10.250.1.10 host 10.230.0.1
access-list test2 extended permit ip host 10.230.0.1 host 10.250.1.10
access-list test2 extended permit ip host 10.230.0.1 host 10.250.2.10
access-list test2 extended permit ip host 10.250.2.10 host 10.230.0.1
access-list test2 extended permit ip host 10.250.3.10 host 10.230.0.1
access-list test2 extended permit ip host 10.230.0.1 host 10.250.3.10
access-list VPNtoPerthDC extended deny ip 10.250.0.0 255.255.0.0 10.202.0.0 255.255.0.0
access-list VPNtoPerthDC extended permit ip 10.250.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list vpntoPerth extended deny ip 10.250.0.0 255.255.0.0 10.202.0.0 255.255.0.0
access-list vpntoPerth extended permit ip 10.250.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list vpntoPerth extended permit ip 10.250.3.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 32000
logging console emergencies
logging monitor alerts
logging buffered debugging
logging trap debugging
logging asdm notifications
logging host inside 10.250.1.10
logging host outside 10.200.0.21
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INSIDE-IN in interface inside
access-group OUTSIDE-IN in interface outside
route inside 10.250.1.0 255.255.255.0 192.168.240.1 1
route inside 10.250.2.0 255.255.255.0 192.168.240.1 1
route inside 10.250.3.0 255.255.255.0 192.168.240.1 1
route outside 0.0.0.0 0.0.0.0 58.84.215.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
url-cache dst 1
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strongdes esp-3des esp-md5-hmac
crypto ipsec transform-set strongaes esp-aes-256 esp-sha-hmac
crypto map outside 10 match address VPNtoDC
crypto map outside 10 set peer 203.25.27.74
crypto map outside 10 set transform-set strongdes strongaes
crypto map outside 20 match address VPN-TO-202
crypto map outside 20 set peer 203.*.*.130
crypto map outside 20 set transform-set strongaes
crypto map outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
telnet 10.250.1.0 255.255.255.0 inside
telnet 203.*.*.74 255.255.255.255 outside
telnet timeout 5
ssh 10.250.1.0 255.255.255.0 inside
ssh 10.230.0.0 255.255.0.0 inside
ssh 10.200.0.0 255.255.0.0 inside
ssh 218.*.*.186 255.255.255.255 outside
ssh 203.*.*.65 255.255.255.255 outside
ssh 203.*.*.74 255.255.255.255 outside
ssh 203.*.*.201 255.255.255.255 outside
ssh 209.*.*.96 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
dhcpd auto_config outside
!

tunnel-group 203.*.*.74 type ipsec-l2l
tunnel-group 203.*.*.74 ipsec-attributes
 pre-shared-key *
tunnel-group 203.*.*.130 type ipsec-l2l
tunnel-group 203.*.*.130 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
ciscoasa#

Answer : Problem: we have a ASA5505 connecting to a ASA5520. the asa5505 drop links and no traffic can pass over the vpn

the cause of the problem turned out to be a faulty port on the isp's switch. Our asa was at their data centre, found it by accident, switched ports and all fixed.
Random Solutions  
 
programming4us programming4us