Tunnel Drops

Unanswered Question
Jun 4th, 2009

Hi Having a weird issue between a ASA 5505 and ASA 5520 both are running 804-K8.

The tunnel will remain up for around 8 Hours then drop. It will then be down for about 30 seconds before coming back up.

This wasn't a problem until we started replicating across the tunnel and the drops crash the replication.

We have upped the timeouts and neither of them are now breached.

I have been hitting my head against this for a while now and any help would be gratefully received.

The errors when this happens are


2009-06-05 01:12:40 Local4.Notice LocalIP Jun 05 2009 01:10:33: %ASA-5-713041: Group = PublicIP, IP = PublicIP, IKE Initiator: Rekeying Phase 2, Intf outside, IKE Peer publicIP local Proxy Address localrange, remote Proxy Address remoterange, Crypto map (vpn)

2009-06-05 01:13:12 Local4.Error LocalIP Jun 05 2009 01:11:05: %ASA-3-713902: Group = PublicIP, IP = publicIP, QM FSM error (P2 struct &0xd4f53f60, mess id 0x89aa93ae)!

2009-06-05 01:13:12 Local4.Alert LocalIP Jun 05 2009 01:11:05: %ASA-1-713900: Group = PublicIP, IP = PublicIP, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

2009-06-05 01:13:12 Local4.Warning Localnetwork Jun 05 2009 01:11:05: %ASA-4-113019: Group = PublicIP, Username = PublicIP, IP = publicIP, Session disconnected. Session Type: IPsec, Duration: 8h:35m:58s, Bytes xmt: 3210418510, Bytes rcv: 188159058, Reason: Phase 2 Error


These are coming when the tunnel drops, I would normally say there was a miss-configured endpoint or IP typo but the tunnel comes up and is fairly stable, it looses about 30 seconds every 8 hours, but unfortunately this is to much for the tunnels purpose.

Thanks,

Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
vkapoor5 Thu, 06/11/2009 - 12:41

If you are using an ASA running software version 7.1 then it is bug CSCse29700. WebVPN and SSL VPN Client sessions to an ASA running software version 7.1 are intermittently disconnected As a workaround, perform either of these steps:

Reload the Cisco Adaptive Security Appliance (ASA) until the issue is resolved.

Download and upgrade the ASA software to any one of these versions:

7.2(1.3)

scottwclarke Thu, 06/11/2009 - 12:44

Hi thanks for the reply but I am running 8.03 is the problem still occuring in this build?

scottwclarke Sun, 06/28/2009 - 01:48

Sorry to bump this but it is a real problem while moving large files between sites.

Actions

This Discussion