EasyVPN tunnel not recovering.

Unanswered Question
Mar 4th, 2009
User Badges:

Hi,


I've got the following scenario:


[HQ_ASA5510_7.2(4)]

|

|

|


|

|

|

[(DynIP)ADSL_Router with NAT]

|

|

|

[(PrivIP)BRANCH_ASA5505_7.2(4)_EZvpn]



All the configuration was done via ASDM. The branch ASA is configured as an EasyVPN hardware client. The VPN connection can

be established without a problem.


The problem occurs when the ADSL line at the branch site disconnects once every 24 hours and gets a new public IP. Note: the

branch ASA is behind an ADSL Router (which is not under our control). After the disconnect the VPN tunnel does not seem to pass traffic. According to both ASAs the

tunnel is up, and does not get torn down by the ADSL disconnect.


As a workaround I have set the SA lifetime value from the default 8 hours to 10 minutes. After the ADSL line disconnects,

and the Lifetime expires, the key is recalculated and the tunnel passes traffic again...meaning that the disconnect will

last 10min in the worst case.


We will have 10 more branch offices soon. will this short SA lifetime have a negative effect on the HQ_ASA5510? We have 3

branch offices running with an SA lifetime of 10min, but the CPU load on the HQ_ASA is hardly noticeable at the moment.


I would like to find a more elegant solution, since a 10min disconnect is still unacceptable (Client working on Terminal

Server in HQ). An expert told me that this issue was resolved in ASA 8.0(4), but I had the same problem running the same

setup in a test lab on ASA 8.0(4). Also I've had some problems with the 8.0(4) version and QoS, so I want to avoid upgrading. Maybe I am missing something?


Any advice would be appreciated!


Ingo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 03/04/2009 - 07:16
User Badges:
  • Cisco Employee,

Do you have keepalives enabled on both sides? since the ip address of the "peer" changes (ADSL that nats) the VPN server should not be able to reach with DPD the old IP hence causing the tunnel to renegotiate. On the VPN Client this might not apply though but the headquarter renegotiating should make the client to do that too

ivarnhagen Mon, 03/09/2009 - 03:58
User Badges:

Thank you very much for the reply! Yes, keepalives are enabled on the HQ ASA for the correct Tunnel Group (default 300sec for easyvpn). I suppose the branch ASA will inherit this setting because of easyvpn? I have also tried changing it to a lower value (e.g. 10 sec as in L2L), but it didnt make a difference. Even if no traffic at all is attempting to pass through the tunnel, in which case keepalives should definately be sent.


Is this a known issue if the ASA is behind an ADSL router with NAT?? If not I will try to set up the lab again with a clean configuration and do some more in-depth troubleshooting.

afshan_nava Wed, 04/22/2009 - 03:35
User Badges:

Dear ingo


i have this senario with the asa5510 behind the adsl router in HO which does the static NAT. the clients using vpn clients can establish the vpn. but the problem is with the branch adslrouter877. i have configure it to use the ezvpn remote feature to connect to the asa. but it fails. any idea on this?


Afshan

ivarnhagen Thu, 04/23/2009 - 20:38
User Badges:

Hi,


make sure you have NAT-Traversal turned on. Otherwise check the logs for errors...those will point you in the right direction.


Ingo

Actions

This Discussion