Jul 16, 2010

Syslog over IPSec

I've identified an issue when ASAs are configured to send syslog messages over an IPSec tunnel. For some unknown reason, I've seen some devices trying to establish the connection to the log server without forward the traffic through the tunnel. Thus, the log messages are not saved, since the remote peer blocks the unencrypted packets.


IPSec and logging settings on the ASA2:

! --- Syslog ---
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging history informational
logging host outside 192.168.0.100
! --- Crypto ACL ---
access-list outside_1_cryptomap extended permit ip interface outside host 192.168.0.10
! --- IKE PHASE 2 ---
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 172.17.0.1
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
! --- IKE PHASE 1 ---
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400

! --- Peer ---
tunnel-group 172.17.0.1 type ipsec-l2l
tunnel-group 172.17.0.1 ipsec-attributes
 pre-shared-key c1sc0

When the problem happens, we can see a connection entry for the traffic between the ASA2 and the Syslog server without an established tunnel:

asa2# show local-host all | i 192.168.0.10
local host: <192.168.0.10>
UDP outside 192.168.0.10:514 NP Identity Ifc 172.16.0.1:514, idle 0:00:00, bytes 3652495222, flags -

asa2# show ipsec sa

There are no ipsec sas
 
The ASA doesn't receive positive acknowledges from the Syslog server, since the traffic is transported over UDP and no error corrections techniques are used in the application layer. So the connection is persistent and the tunnel is never established, since the ISAKMP process doesn't "see" any interesting traffic.
 
In order to fix this issue, you just need to clear the connection entry from the ASA2 conn table. It is only a workaround that doesn't help to find out the root cause of the problem, but it should be helpful since troubleshooting commands like show and debug doesn't give any clues on this issue.

asa2# clear local-host 192.168.0.10 all

or

asa2# clear conn all address 192.168.0.10
1 connection(s) deleted.

Then the tunnel is established and the Syslog traffic is encapsulated and encrypted:

asa2# show ipsec sa
interface: outside
  Crypto map tag: outside-map, seq num: 1, local addr: 172.16.0.1


    access-list outside_1_cryptomap extended permit ip interface outside host 192.168.0.10
    local ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (192.168.0.10/255.255.255.255/0/0)
    current_peer: 172.17.0.1

    #pkts encaps: 509, #pkts encrypt: 509, #pkts digest: 509
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 509, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #send errors: 217, #recv errors: 0

I have seen some cases where the proposed solution didn't correct the problem (sometimes, rebuilding the crypto settings may fix it). After to run several debugs and packet captures, I threw in the towel and accepted a reboot as the only way to get rid of this problem. It seems like the ISAKMP proccess just hangs.

asa(config)# end
asa# wr mem

No comments:

Post a Comment