Networking Arena - Cuckoo Networks

Thursday, August 28, 2014

Configuring Anyconnect VPN using Cisco ASA - GNS3 - Very Simple Method

Hi Everyone,

In this post we are going to see how do we configure anyconnect VPN in Cisco ASA 8.4 version using GNS3 lab, which is very simple and good for learners to understand the anyconnect vpn configuration.

I have used GNS3 for emulating the VPN setup and bingo!!! I have configured in a easiest way!!!

### Refer How to add your PC as cloud using GNS3 with Loopback Interface Adapter ###

### Router as the remote site LAN device, which we test after connecting to VPN ###

Configuration Steps:

ASA Version 8.4(2)
!
hostname sslvpn-fw
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
### Outside Interface is directly connected to Host/Client PC Cloud ###

interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.0.0.1 255.255.255.0
!
### Inside Interface is directly connected to router , which is acting as remote server ###
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list sslvpn_inbound extended permit ip any any
access-list outbound extended permit ip any any
pager lines 24
logging enable
logging buffered notifications
mtu outside 1500
mtu inside 1500
### VPN Pool is created for Anyconnect VPN users ###
ip local pool vpn 172.16.0.1-172.16.0.5 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group sslvpn_inbound in interface outside
access-group outbound in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
### Installed certficate and CA configurations for SSL Certificate ###
crypto ca trustpoint cuckoonetworks.com
enrollment terminal
fqdn cuckoonetworks.com
subject-name CN=cuckoonetworks.com, OU=CLOUD, O=CUCKOO NETWORKS, C=IN, St=KA, L=BLR
keypair cuckoonetworks.com
crl configure
crypto ca certificate chain cuckoonetworks.com
certificate ca 3ba11e6c788e4ae15c7224a186fee7d5
    3082048a 30820372 a0030201 0202103b a11e6c78 8e4ae15c 7224a186 fee7d530
    0d06092a 864886f7 0d010105 05003081 ad310b30 09060355 04061302 55533115
    30130603 55040a13 0c746861 7774652c 20496e63 2e312830 26060355 040b131f
    43657274 69666963 6174696f 6e205365 72766963 65732044 69766973 696f6e31
    30302e06 0355040b 1327466f 72205465 73742050 7572706f 73657320 4f6e6c79
    2e20204e 6f206173 73757261 6e636573 2e312b30 29060355 04031322 74686177
    74652054 7269616c 20536563 75726520 53657276 65722052 6f6f7420 4341301e
    170d3130 30323034 30303030 30305a17 0d323030 32303332 33353935 395a3081
    a8310b30 09060355 04061302 55533115 30130603 55040a13 0c546861 7774652c
    20496e63 2e312830 26060355 040b131f 43657274 69666963 6174696f 6e205365
    72766963 65732044 69766973 696f6e31 30302e06 0355040b 1327466f 72205465
    73742050 7572706f 73657320 4f6e6c79 2e20204e 6f206173 73757261 6e636573
    2e312630 24060355 0403131d 54686177 74652054 7269616c 20536563 75726520
    53657276 65722043 41308201 22300d06 092a8648 86f70d01 01010500 0382010f
    00308201 0a028201 0100d6c5 9e2f092f bd878816 ec29d3c0 f84416e7 96787f08
    14cffe9f cef4cdbc 0e575dd8 650e2962 0c5062aa 8ac0c5c0 fba97c7e 4bf99fbc
    c802796e a1a6bf35 f31bf723 465c1194 f1cfc22c 339d065a c2d991a7 c23bb182
    c47680ad 8cbeaabd 3c5dd9d7 a4a41e98 5b0fa34b a09ffa3b 90ba24a7 9b060623
    525ba653 80c5f76c 0864414d 04eb0639 577521e5 3fc3327f 91063c8d 4e896b27
    4e3c89a2 7b63a57d 355b31d4 8a3fa181 d4e27eb3 c4e7e8ba cca1c51b da5c1879
    b9d5d481 0f4ec590 4e03f3dd d616b2c8 54b6e9d2 b4408884 f99571f3 00449e4b
    45f6f06b f3e7dc7f 584a78d2 5774f9cf 6054bb30 d2ab1247 aa327aa6 c6ad7617
    91aa5d1a 71c40f92 71530203 010001a3 81a83081 a5301206 03551d13 0101ff04
    08300601 01ff0201 00303f06 03551d1f 04383036 3034a032 a030862e 68747470
    3a2f2f63 726c2e74 68617774 652e636f 6d2f7468 61777465 54726961 6c53534c
    526f6f74 43412e63 726c300e 0603551d 0f0101ff 04040302 0106301d 0603551d
    0e041604 14296cb5 35fd03d6 48fb04ef 3a9fab15 4e0af44d 50301f06 03551d23
    04183016 80140542 688603e9 c965c127 b3d99bd4 0ff77ff5 0540300d 06092a86
    4886f70d 01010505 00038201 01004899 ebdd8fef 0b0f109a 2702b0fb 8ca30713
    db3acb51 515f3cc3 3fb6a119 9ece4202 5daea44f f2f603a3 fd4efed0 104375bd
    8df59bde f4d950c1 4ca732c7 ca2562fa 098ad394 ce90c2d7 0efb4f2d 6d5604ed
    15c591f7 438f42da 4f5e0454 aa1e6921 cbfee76b 2ec1327c 8585664a c2d47f3f
    6a1cb688 3a7d9456 c6e5c1c4 39ac8ead 8e88da2d 99766aa8 4ccde788 04fb25a8
    62acb5ed 8d3d1901 635c17aa 3e14a37e b8ac99d5 86a90453 4fc33a76 2d64c5bf
    adeced57 77ee3dda 89f60ccb 497afdd7 e25a6e86 5ee671d4 b13586dd c56a25e8
    f17fe81d a725472f 6f70d89f 9ccd17df 3bd4a7ac eeb68c2e 48d588ac d5b7c072
    323a4681 7c23b56f 9630dcee b5f3
quit
certificate 4089fc4cd7382be3bc9b55dbd52788c9
    308204fc 308203e4 a0030201 02021040 89fc4cd7 382be3bc 9b55dbd5 2788c930
    0d06092a 864886f7 0d010105 05003081 a8310b30 09060355 04061302 55533115
    30130603 55040a13 0c546861 7774652c 20496e63 2e312830 26060355 040b131f
    43657274 69666963 6174696f 6e205365 72766963 65732044 69766973 696f6e31
    30302e06 0355040b 1327466f 72205465 73742050 7572706f 73657320 4f6e6c79
    2e20204e 6f206173 73757261 6e636573 2e312630 24060355 0403131d 54686177
    74652054 7269616c 20536563 75726520 53657276 65722043 41301e17 0d313430
    38323630 30303030 305a170d 31343039 31363233 35393539 5a3081a1 310b3009
    06035504 06130249 4e310b30 09060355 04081302 4b41310c 300a0603 55040714
    03424c52 31183016 06035504 0a140f43 55434b4f 4f204e45 54574f52 4b53310e
    300c0603 55040b14 05434c4f 55443130 302e0603 55040b14 27466f72 20546573
    74205075 72706f73 6573204f 6e6c792e 20204e6f 20617373 7572616e 6365732e
    311b3019 06035504 03141263 75636b6f 6f6e6574 776f726b 732e636f 6d308201
    22300d06 092a8648 86f70d01 01010500 0382010f 00308201 0a028201 01009d6b
    e01453a2 fb630b3b a2cddc8f 16cb2d8b e76e4b06 4e338cde 63a027fa d987aa33
    577faa2c effe5b13 6b593bb3 0db30cb7 446cb071 0532c94a 61a69263 6e709301
    8d311713 90baba81 864302f0 352a14af 499464c5 e09ecbeb 1aa4b22e f897b89d
    5ded4d35 3ee35a63 0a3cbd69 c44b6c85 63c26ddd a85ada0a 350613bf 42af8262
    eb4c00fe 1f22117b d0929729 98adc21d 5275277c 2ad075fc c1526915 6aef641a
    eb3ddc45 46bd3f91 6f657fc8 1c9cacf2 a9afdd70 6edf9762 1a68256e f686c459
    055bcc31 be4b6a24 4ef5c519 e824be33 1b27f61d a5c4ba8a 024c9833 e2afcf8e
    c79ae8b1 c5a8d87c c4b17aa4 0aee17fb 3a619270 2fa14ad8 0c0f110e 576d0203
    010001a3 82012530 82012130 1d060355 1d110416 30148212 6375636b 6f6f6e65
    74776f72 6b732e63 6f6d300c 0603551d 130101ff 04023000 303b0603 551d1f04
    34303230 30a02ea0 2c862a68 7474703a 2f2f6372 6c2e7468 61777465 2e636f6d
    2f546861 77746554 7269616c 53534c43 412e6372 6c306506 03551d20 045e305c
    305a060a 60864801 86f84501 0715304c 30230608 2b060105 05070201 16176874
    7470733a 2f2f642e 73796d63 622e636f 6d2f6370 73302506 082b0601 05050702
    02301916 17687474 70733a2f 2f642e73 796d6362 2e636f6d 2f727061 301d0603
    551d2504 16301406 082b0601 05050703 0106082b 06010505 07030230 1f060355
    1d230418 30168014 296cb535 fd03d648 fb04ef3a 9fab154e 0af44d50 300e0603
    551d0f01 01ff0404 030205a0 300d0609 2a864886 f70d0101 05050003 82010100
    99889644 0f48f88f 7799d2a4 59c6418d c17d1fd1 acefce1b 022280f5 332eee63
    b3212e52 82311efc 8f580b42 64f05286 256d76ef 85c8a739 31a2acbd 52ee2bf5
    fd1713ec 8a7bd7a7 38b50847 ab5beb95 dda5502d a0826fde 66139bdf c019c3c6
    bdab3e9a 1e8d0ee1 146163cd 3e22b7ff 91afd9a8 5f1dec3d b65d312f 96a4923c
    786f0528 2eb2396b 11fa21e2 3794bc2a 1847d999 0d006184 fc394519 eb5dcec1
    d00890f6 7be2c1cc aa09827f 46e35d4d 75e6a710 1c4e7517 cf1acd62 7926ffb5
    8d3a7a0d 15ed1fea 05ecc573 b72fa09e 19217a85 aee0307c 87d48039 c2572092
    e3c6fa23 08a6b99e 5b6f50f2 f39e2540 daa87ccb 6858dea0 65a3a477 c2
5e5d2c
quit
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-d aes128-sha1 aes256-sha1 3des-sha1

### Anyconnect Specific Configurations, which included package, policy and group ###
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy testssl internal
group-policy testssl attributes
banner value Cuckoo Networks
banner value *** Restricted Access only for Cuckoo Networks Authorized Employees ***
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
username test password P4ttSyrm33SV8TYp encrypted
username vpntest password mfoS1ZEaQcE7XU1D encrypted
tunnel-group testssl type remote-access
tunnel-group testssl general-attributes
address-pool vpn
default-group-policy testssl
tunnel-group testssl webvpn-attributes
group-url https://cuckoonetworks.com enable
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d1da224ef86e9226d98f1564f37975fa
: end
sslvpn-fw#

Test from PC:

C:\Users\kn8773>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=2ms TTL=255
Reply from 10.0.0.1: bytes=32 time=1ms TTL=255
Reply from 10.0.0.1: bytes=32 time=2ms TTL=255
Reply from 10.0.0.1: bytes=32 time=1ms TTL=255

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

C:\Users\kn8773>

Peer is reachable from the PC.

Step 1: access the URL https://cuckoonetworks.com from your browser.

Step 2: User authentication Page

Step 3: After a Successful Connection

Step 4: You have to choose any connect and start anyconnect doownload. App will get downloaded and installed in your PC.

Step 5: Connect VPN Client

Step 5: Verify the VPN connection and working status

Windows IP Configuration

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix . :
   Link-local IPv6 Address . . . . . : fe80::2357:28f0:64ec:dd25%74
   Link-local IPv6 Address . . . . . : fe80::f4ac:52b8:2d4:ec4e%74
   IPv4 Address. . . . . . . . . . . : 172.16.0.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : ::
                                       172.16.0.2

Ethernet adapter GNS3 Cloud Loopback Adapter:

   Connection-specific DNS Suffix . :
   Link-local IPv6 Address . . . . . : fe80::2037:f0a7:3cc9:8795%62
   IPv4 Address. . . . . . . . . . . : 10.0.0.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.1

C:\Users\karthik>ping 192.168.0.10

Pinging 192.168.0.10 with 32 bytes of data:
Reply from 192.168.0.10: bytes=32 time=19ms TTL=255
Reply from 192.168.0.10: bytes=32 time=8ms TTL=255
Reply from 192.168.0.10: bytes=32 time=17ms TTL=255
Reply from 192.168.0.10: bytes=32 time=18ms TTL=255

Ping statistics for 192.168.0.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 19ms, Average = 15ms

C:\Users\karthik>telnet 192.168.0.10

User Access Verification

Username: test
Password:

R1>en
Password:
R1#

Verify from VPN Firewall

sslvpn-fw# sh vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
AnyConnect Client            :      1 :          4 :           1 :        0
SSL/TLS/DTLS               :      1 :          4 :           1 :        0
Clientless VPN               :      0 :          1 :           1
Browser                    :      0 :          1 :           1
---------------------------------------------------------------------------
Total Active and Inactive    :      1             Total Cumulative :      5
Device Total VPN Capacity    :      0
Device Load                  :     0%
***!! WARNING: Platform capacity exceeded !!***
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concurrent
                             ----------------------------------------------
Clientless                   :      0 :          1 :               1
AnyConnect-Parent            :      1 :          4 :               1
SSL-Tunnel                   :      1 :          3 :               1
---------------------------------------------------------------------------
Totals                       :      2 :          8
---------------------------------------------------------------------------

sslvpn-fw#

sslvpn-fw# sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : test                   Index        : 5
Assigned IP : 172.16.0.1             Public IP    : 10.0.0.10
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : AES128                 Hashing      : none SHA1
Bytes Tx     : 10350                  Bytes Rx     : 10800
Group Policy : testssl                Tunnel Group : testssl
Login Time   : 12:35:37 UTC Thu Aug 28 2014
Duration     : 0h:00m:59s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

sslvpn-fw#

Thats it!!!! VPN is connecting from client PC and Remote Site LAN is reachable from VPN client machine and we can do telnet, ping to it......

Cheers
Karthik

Wednesday, August 27, 2014

Site to Site VPN - Cisco ASA - Identical LAN Subnets @ Both End sites - Lab - GNS3

Hi Everyone,

In this post, I am going to do a small lab for a Site to Site VPN using Cisco ASA @ both ends with Identical LAN subnets.

Configuration Section:

FW-A-Site1
==============
interface GigabitEthernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
no shut
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
no shut
!
object network inlan
subnet 10.0.0.0 255.255.255.0
object network natlan
subnet 192.168.1.0 255.255.255.0
object network endsitelan
subnet 192.168.2.0 255.255.255.0
!
access-list crypto_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!
nat (inside,outside) source static inlan natlan destination static endsitelan endsitelan no-proxy-arp
!
route outside 0 0 1.1.1.2
!
crypto ipsec ikev1 transform-set CISCO esp-3des esp-md5-hmac
crypto map outside_map 20 match address crypto_acl
crypto map outside_map 20 set peer 1.1.1.2
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
!
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key test
!
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Router as Host @ Site A Configs
================================
enable secret <password>
username <name> secret <password>
aaa new-model
!
int fas 0/0
ip add 10.0.0.10 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!

#############################################################################################################
FW-B-Site2
===========
interface GigabitEthernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
no shut
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
no shut
!
object network inlan
subnet 10.0.0.0 255.255.255.0
object network natlan
subnet 192.168.2.0 255.255.255.0
object network endsitelan
subnet 192.168.1.0 255.255.255.0
!
access-list crypto_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!
nat (inside,outside) source static inlan natlan destination static endsitelan endsitelan no-proxy-arp
!
route outside 0 0 1.1.1.1
!
crypto ipsec ikev1 transform-set CISCO esp-3des esp-md5-hmac
crypto map outside_map 20 match address crypto_acl
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key test
!
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Router as Host @ Site N Configs
================================
enable secret <password>
username <name> secret <password>
aaa new-model
!
int fas 0/0
ip add 10.0.0.10 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!

#####################################################################################################################

Testing the network:

site-a-host#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/44 ms
site-a-host#

site-b-host#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/22/44 ms
site-b-host#

vpnfw-site-a# ping 10.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/20 ms
vpnfw-site-a# ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/66/110 ms
vpnfw-site-a#

s2s-fw-site-b# ping 10.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
s2s-fw-site-b# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/64/170 ms
s2s-fw-site-b#

So Everything seems to be okay. Ping from the local host to its connected firewall and between the peers.... It's connecting.

Establish the Site to Site VPN between both the sites:

Pinging the Site B Host - 192.168.2.10 (10.0.0.10) from Site A Host (10.0.0.10) 192.168.1.10

site-a-host#ping 192.168.2.10 rep
site-a-host#ping 192.168.2.10 repeat 10

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
.!!!!!!!!!
Success rate is 90 percent (9/10), round-trip min/avg/max = 48/71/108 ms
site-a-host#

vpnfw-site-a# sh isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 1.1.1.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs
vpnfw-site-a# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 1.1.1.1

      access-list crypto_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 1.1.1.2

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 1.1.1.2/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: A43BDEB5
      current inbound spi : 1C4D9E26

    inbound esp sas:
      spi: 0x1C4D9E26 (474848806)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28679)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000003FF
    outbound esp sas:
      spi: 0xA43BDEB5 (2755387061)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28679)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

vpnfw-site-a#

Other Site FW logs

s2s-fw-site-b# sh isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 1.1.1.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs
s2s-fw-site-b#

s2s-fw-site-b# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 1.1.1.2

      access-list crypto_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
      #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.2/0, remote crypto endpt.: 1.1.1.1/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 9F06A7D4
      current inbound spi : 6FB62F56

    inbound esp sas:
      spi: 0x6FB62F56 (1874210646)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373998/28725)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00007FFF
    outbound esp sas:
      spi: 0x9F06A7D4 (2668013524)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373998/28725)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Explaination:

When you have identical local LAN subnets @ both sites, then you cannot make an encryption domain with an usual way. Here you have to do NATing to achieve it. Make sure you NAT at both the ends to get this work... if you do at one end will not give you the desired result.

Please post your queries if any.

Please do comment if you like this post!!!

Cheers
Karthik
Cuckoo Networks

Thursday, July 24, 2014

Dual Site to Site VPN @ Both Ends - Cisco ASA
====================================

Here we are going to see how to configure Dual Site to Site IPSec VPN using Cisco ASA with 2 WAN links @ Both Sites. So always the defined priority 1 tunnel will be up and taking the traffic and if there is a failure in ISP1 link and the secondary tunnel will come up and take the traffic.

Router-SW is used as a end client PC here to initiate and check the traffic between both sites.
ASA FW is used an the VPN Box for L2L/S2S tunnel termination.
ISP1/ISP2 can be considered as Primary and Backup ISP here.

Fig 1.0 - Design Dual VPN

Site A Router
==========
interface FastEthernet0/0
description *** Unused for Layer2 SW ***
ip address 192.168.1.10 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!

We just have the basic configuration on it to make sure that it can be reachable and it can route the traffic.

Site A FW:
=========
ASA1# sh runn
: Saved
:
ASA Version 8.4(2)
!
hostname ASA1
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
nameif outside2
security-level 0
ip address 172.16.2.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list new extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list new extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list test extended permit icmp any any echo-reply
access-list test extended permit icmp any any unreachable
access-list test extended permit icmp any any time-exceeded
access-list outbound extended permit ip any any
pager lines 24
logging enable
logging buffered notifications
mtu outside 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.2 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 172.16.1.2 172.16.2.2
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto map outside_map interface outside2
crypto ikev1 enable outside
crypto ikev1 enable outside2
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside2
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:277baec4046859ee4b5bdc2ee0dbe7d3
: end
ASA1#

Site B Router:
===========

interface FastEthernet0/0
description *** Unused for Layer2 SW ***
ip address 192.168.2.10 255.255.255.0
duplex auto
speed auto
!

ip route 0.0.0.0 0.0.0.0 192.168.2.1
!

Site B FW
========
ASA2# sh runn
: Saved
:
ASA Version 8.4(2)
!
hostname ASA2
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.16.1.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet2
nameif outside2
security-level 0
ip address 172.16.2.2 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list new extended permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outbound extended permit ip any any
pager lines 24
logging enable
logging buffered notifications
mtu outside 1500
mtu inside 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 172.16.1.1 172.16.2.1
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map interface outside
crypto map outside_map interface outside2
crypto ikev1 enable outside
crypto ikev1 enable outside2
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 172.16.2.1 type ipsec-l2l
tunnel-group 172.16.2.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:846f7f2f8c1b7f38b8b05f9e98d10030
: end
ASA2#

IP SLA Configurations:
=================
ASA1# sh runn sla monitor
sla monitor 10
type echo protocol ipIcmpEcho 172.16.1.2 interface outside
timeout 3
frequency 5
sla monitor schedule 10 life forever start-time now
ASA1# sh runn route
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.2 254
ASA1# sh runn track 1
track 1 rtr 10 reachability
ASA1#

##################################################################
ASA2# sh run sla monitor
sla monitor 10
type echo protocol ipIcmpEcho 172.16.1.1 interface outside
timeout 3
frequency 5
sla monitor schedule 10 life forever start-time now
ASA2# sh runn route
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1 track 1
route outside2 0.0.0.0 0.0.0.0 172.16.2.1 254
ASA2# sh runn trac
ASA2# sh runn track 1
track 1 rtr 10 reachability
ASA2#
##################################################################

Testing Results:
**************

In a normal scenario, by default LAN initiated traffic will pass through Tunnel 1/ISP1.

ASA1# sh isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 172.16.1.2 ===> Primary Peer Phase 1 Up
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs
ASA1#
=========================================================================
ASA2# sh isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 172.16.1.1 ==> Primary Peer Phase 1 Up
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs
ASA2#

R1-SW#ping 192.168.2.10 repeat 25

Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (25/25), round-trip min/avg/max = 48/80/240 ms
R1-SW#
========================================================================
R2-SW#ping 192.168.1.10 repeat 25

Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (25/25), round-trip min/avg/max = 40/72/140 ms
R2-SW#
======================================================================
ASA1# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 172.16.1.1

      access-list new extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 172.16.1.2

      #pkts encaps: 58, #pkts encrypt: 58, #pkts digest: 58
      #pkts decaps: 58, #pkts decrypt: 58, #pkts verify: 58
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 58, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.16.1.2/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 6B27F453
      current inbound spi : 5127FCF8

    inbound esp sas:
      spi: 0x5127FCF8 (1361575160)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914994/28479)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x07FFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x6B27F453 (1797780563)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914994/28479)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

ASA1#
=========================================================================
ASA2# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 172.16.1.2

      access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 172.16.1.1

      #pkts encaps: 58, #pkts encrypt: 58, #pkts digest: 58
      #pkts decaps: 58, #pkts decrypt: 58, #pkts verify: 58
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 58, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.2/0, remote crypto endpt.: 172.16.1.1/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 5127FCF8
      current inbound spi : 6B27F453

    inbound esp sas:
      spi: 0x6B27F453 (1797780563)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373994/28454)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x07FFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x5127FCF8 (1361575160)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373994/28454)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

ASA2#

##################################################################################

Result when ISP1 fails @ Site A:
=========================

R1-SW#ping 192.168.2.10 repeat 25

Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
..................!!!!!!!
Success rate is 28 percent (7/25), round-trip min/avg/max = 48/74/96 ms
R1-SW#

ASA1# debug crypto ikev1 7
ASA1# Jul 24 13:05:44 [IKEv1]IP = 172.16.1.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:05:52 [IKEv1]IP = 172.16.1.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:06:00 [IKEv1 DEBUG]IP = 172.16.1.2, IKE MM Initiator FSM error history (struct &0xbc43c200) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 24 13:06:00 [IKEv1 DEBUG]IP = 172.16.1.2, IKE SA MM:20617c56 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 24 13:06:00 [IKEv1 DEBUG]IP = 172.16.1.2, sending delete/delete with reason message
Jul 24 13:06:02 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 172.16.2.2 local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0, Crypto map (outside_map)
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing ISAKMP SA payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Traversal VID ver 02 payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Traversal VID ver 03 payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Traversal VID ver RFC payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing Fragmentation VID + extended capabilities payload
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, processing SA payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Oakley proposal is acceptable
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Received NAT-Traversal ver 02 VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Received Fragmentation VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing ke payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing nonce payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing Cisco Unity VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing xauth V6 VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Send IOS VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing VID payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Discovery payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, constructing NAT-Discovery payload
Jul 24 13:06:02 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:02 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing ke payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing ISA_KE payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing nonce payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Received Cisco Unity client VID
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Received xauth V6 VID
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing NAT-Discovery payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, processing NAT-Discovery payload
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, computing NAT Discovery hash
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, Connection landed on tunnel_group 172.16.2.2
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Generating keys for Initiator...
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Computing hash for ISAKMP
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing dpd vid payload
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Computing hash for ISAKMP
Jul 24 13:06:03 [IKEv1 DEBUG]IP = 172.16.2.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing VID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Received DPD VID
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, Connection landed on tunnel_group 172.16.2.2
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Oakley begin quick mode
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, PHASE 1 COMPLETED
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, Keep-alive type for this connection: DPD
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Starting P1 rekey timer: 73440 seconds.
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, IKE got SPI from key engine: SPI = 0xb383b691
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, oakley constucting quick mode
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing blank hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing IPSec SA payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing IPSec nonce payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing proxy ID
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Transmitting Proxy Id:
Local subnet: 192.168.1.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 192.168.2.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing qm hash payload
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=5fc17fe) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=5fc17fe) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing hash payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing SA payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing nonce payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing ID payload
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, loading all IPSEC SAs
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Generating Quick Mode Key!
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=bc159bb8
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Generating Quick Mode Key!
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=bc159bb8
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, Security negotiation complete for LAN-to-LAN Group (172.16.2.2) Initiator, Inbound SPI = 0xb383b691, Outbound SPI = 0x13d5e43f
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, oakley constructing final quick mode
Jul 24 13:06:03 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=5fc17fe) with payloads : HDR + HASH (8) + NONE (0) total length : 72
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, IKE got a KEY_ADD msg for SA: SPI = 0x13d5e43f
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Pitcher: received KEY_UPDATE, spi 0xb383b691
Jul 24 13:06:03 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Starting P2 rekey timer: 24480 seconds.
Jul 24 13:06:03 [IKEv1]Group = 172.16.2.2, IP = 172.16.2.2, PHASE 2 COMPLETED (msgid=05fc17fe)
Jul 24 13:06:22 [IKEv1]IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=f63b396) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing hash payload
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, processing notify payload
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Received keep-alive of type DPD R-U-THERE (seq number 0x505739f5)
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x505739f5)
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing blank hash payload
Jul 24 13:06:22 [IKEv1 DEBUG]Group = 172.16.2.2, IP = 172.16.2.2, constructing qm hash payload
Jul 24 13:06:22 [IKEv1]IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=4270e0c1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
=========================================================================
ASA1# sh isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 172.16.2.2 ==> Secondary Peer Phase 1 Up
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs
ASA1#

Now the tunnel is up through 2nd ISP link.

Scenario where ISP1 comes Back: ASA1(config-if)# Jul 24 13:10:01 [IKEv1 DEBUG]IP = 172.16.2.2, IKE MM Initiator FSM error history (struct &0xbc4ae930) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 24 13:10:01 [IKEv1 DEBUG]IP = 172.16.2.2, IKE SA MM:0e40d19b terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 24 13:10:01 [IKEv1 DEBUG]IP = 172.16.2.2, sending delete/delete with reason message
Jul 24 13:10:03 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 172.16.1.2 local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0, Crypto map (outside_map)
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing ISAKMP SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Traversal VID ver 02 payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Traversal VID ver 03 payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Traversal VID ver RFC payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing Fragmentation VID + extended capabilities payload
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Oakley proposal is acceptable
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received NAT-Traversal ver 02 VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received Fragmentation VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing ke payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing Cisco Unity VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing xauth V6 VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Send IOS VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, constructing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing ke payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing ISA_KE payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received Cisco Unity client VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received xauth V6 VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, processing NAT-Discovery payload
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, computing NAT Discovery hash
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, Connection landed on tunnel_group 172.16.1.2
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Generating keys for Initiator...
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Computing hash for ISAKMP
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing dpd vid payload
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Computing hash for ISAKMP
Jul 24 13:10:03 [IKEv1 DEBUG]IP = 172.16.1.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing VID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Received DPD VID
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, Connection landed on tunnel_group 172.16.1.2
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Oakley begin quick mode
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, PHASE 1 COMPLETED
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, Keep-alive type for this connection: DPD
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Starting P1 rekey timer: 73440 seconds.
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, IKE got SPI from key engine: SPI = 0x036b3e9a
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, oakley constucting quick mode
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing blank hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing IPSec SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing IPSec nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing proxy ID
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Transmitting Proxy Id:
Local subnet: 192.168.1.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 192.168.2.0 Mask 255.255.255.0 Protocol 0 Port 0
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, constructing qm hash payload
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=4ae1a6e7) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE RECEIVED Message (msgid=4ae1a6e7) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing hash payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing SA payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing nonce payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, processing ID payload
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, loading all IPSEC SAs
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Generating Quick Mode Key!
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=b636eef8
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Generating Quick Mode Key!
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, NP encrypt rule look up for crypto map outside_map 20 matching ACL new: returned cs_id=b636e600; rule=b636eef8
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, Security negotiation complete for LAN-to-LAN Group (172.16.1.2) Initiator, Inbound SPI = 0x036b3e9a, Outbound SPI = 0x1a99532d
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, oakley constructing final quick mode
Jul 24 13:10:03 [IKEv1]IP = 172.16.1.2, IKE_DECODE SENDING Message (msgid=4ae1a6e7) with payloads : HDR + HASH (8) + NONE (0) total length : 72
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, IKE got a KEY_ADD msg for SA: SPI = 0x1a99532d
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Pitcher: received KEY_UPDATE, spi 0x36b3e9a
Jul 24 13:10:03 [IKEv1 DEBUG]Group = 172.16.1.2, IP = 172.16.1.2, Starting P2 rekey timer: 24480 seconds.
Jul 24 13:10:03 [IKEv1]Group = 172.16.1.2, IP = 172.16.1.2, PHASE 2 COMPLETED (msgid=4ae1a6e7)
u all
ASA1# sh isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 172.16.1.2 == > Primary Peer Again Came Back - Phase 1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs
ASA1#

Hope this gives you a better idea. Please post your queries if any on this.
However there is a latency during failures, i will try to tweak to avoid latency to make it better. I will post if i find any.
Thanks Techies....