IPSEC Site-to-Site Tunnel drops every 1hour

Unanswered Question
Oct 1st, 2007

hi guys,

need help on my ASA 5510 that establishes a site-to-site VPN tunnel to a Multitech Firewall.

The tunnel normally drops after an hour of connectivity and would reconnect automatically. The problem is I have a telnet application that connects to the other end of the tunnel that would end up also getting disconnected. If i do a consistent ping to a remote host on the other side of the VPN tunnel i would also get one "request timeout" when the tunnel drops.

below is my vpn config:

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

crypto map outside_ISP_map 1 match address outside_ISP_1_cryptomap

crypto map outside_ISP_map 1 set peer 207.224.XXX.XXX

crypto map outside_ISP_map 1 set transform-set ESP-3DES-MD5

crypto map outside_ISP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO


crypto map outside_ISP_map interface outside_ISP

crypto isakmp identity address

crypto isakmp enable outside_ISP

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

attached also is a screenshot of the Real-Time Log Viewer.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
brianbono Mon, 10/01/2007 - 21:08

additional info:

asa001# sh isakmp sa detail

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 207.224.xxx.xxx

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : MD5

Auth : preshared Lifetime: 86400

Lifetime Remaining: 82985

asa001# sh isakmp stats

Global IKE Statistics

Active Tunnels: 1

Previous Tunnels: 668

In Octets: 919211

In Packets: 7753

In Drop Packets: 2241

In Notifys: 1342

In P2 Exchanges: 830

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 37

Out Octets: 764348

Out Packets: 6411

Out Drop Packets: 21

Out Notifys: 1584

Out P2 Exchanges: 452

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 1156

Initiator Tunnels: 351

Initiator Fails: 9

Responder Fails: 4

System Capacity Fails: 0

Auth Fails: 2

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0


russ Tue, 10/02/2007 - 06:20

Seems like the remote peer has negotiated a phase 2 liftime of 1 hour (3600 seconds). The default for the ASA is 8 hours (28,800 seconds) and 1 hour (3600 secs for a Cisco router). Both peers will negotiate the lowest lifetime value.

You'll need to reconfigure the remote peer's phase 2 liftime to match the ASA value of 8 hours, or increase both peer lifetimes, if you wish the tunnel to stay up longer.

"sh crypto ipsec sa" will display the phase 2 remaining sa lifetime.

russ Tue, 10/02/2007 - 06:33

Are you referring to the phase 1 lifetime or phase 2 lifetime value?

brianbono Tue, 10/02/2007 - 14:49

does my Global Timeouts set on the connection to 1hr had anything to do with the tunnel drops?

"timeout conn 1:00:00"

DIEGO ALONSO Wed, 10/03/2007 - 10:02

I am also having a similar experience between a PIX and an EdgeWater IAD router. Tunnel drops every day or two and takes 5-10 minutes to come back up. I don't have control over the EdgeWater device but would like to setup some kind of logging on my side to see if I can figure out what is going on. I tried "logging buffered debug" but that gives WAY too much info. Is there a way that I can have the output of "debug cry" type command go to a buffer to review it once a day or so?



brianbono Wed, 10/03/2007 - 15:23

hi guys,

I was able to solve this problem yesterday. All I did was to go to the remote vpn tab instead of the site-to-site vpn tab of my ASA to configure the Maximum Connect value under the default group policy. The reason for the was my site-to-site inherited that policy that says the tunnel can only be for 1hr and must reconnect in order to keep the tunnel. I have changed the settings now to unlimited and finally my vpn is working fine.



This Discussion