Rekey data left of 0KB in ASA 5505-5510 seems to make IPSec SA fail

Unanswered Question
Mar 6th, 2010

Hello

I have a Central Office with a Cisco ASA 5510 connected to several remote locations with ASA5505

The site to site VPNs work well, but sometimes some of them fail. After some research I found that, it that situation, the IKE and IPSec SAs are working, but traffic only crosses the tunnel in one direction. As an example, if I ping a remote host, it receives the ping request and sends the ping reply, but this reply never crosses the tunnel back.

As far as I know, it seems to happen randomly, at least I couldn't find a pattern. I tried logging out the tunnel by means of the ASDM but, when the tunnel re-establishes, the same happens. The only solution is to force a reload of the ASA5505 in the remote location, and then it starts to work normally (I can't do a reload on the 5510, as it would break the connection with the rest of remote locations).

The only clue I have is that it can only affect one of the several IPSec SAs of the IKE session while the rest of SAs of that session keep on working and, when failing, the data rekey lifetime of that IPSec SA is 0 KB:

WORKING SA:
  IPSec:
  Session ID   : 2
  Local Addr   : X.X.X.X/255.255.255.0/0/0
  Remote Addr  : X.X.X.X/255.255.255.0/0/0
  Encryption   : 3DES                   Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 18401 Seconds
  Rekey Int (D): 3825000 K-Bytes        Rekey Left(D): 3824715 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
  Bytes Tx     : 22570303               Bytes Rx     : 35752322
  Pkts Tx      : 490855                 Pkts Rx      : 408700

FAILING SA:
  IPSec:
  Session ID   : 3
  Local Addr   : X.X.X.X/255.255.255.0/0/0
  Remote Addr  : X.X.X.X/255.255.255.0/0/0
  Encryption   : 3DES                   Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 14862 Seconds
  Rekey Int (D): 3825000 K-Bytes        Rekey Left(D): 0 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
  Bytes Tx     : 67264                  Bytes Rx     : 0
  Pkts Tx      : 1051                   Pkts Rx      : 0

This led me to notice that, even when both 5510 and 5505 have the same traffic volume lifetime settings for the SA, the Rekey Data interval of the SAs is different between 5505 and 5510 (4275000 KB for 5505 and 3825000 KB for 5510 for by default setting of 4608000 KB; I tried changing this value to 5000000 in both devices and their new intervals were also different between them). I don't know if it's something to do with my problem, but seems quite odd.

I've looked for a solution in manuals and also browsed the Internet but with no result, so I would be very grateful if someone could give me some advice.

Thanks and regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
f.vanbreugel Wed, 03/10/2010 - 11:03

Hello,

I have the seem problem starting 5 March on two remote ASA5505 boxes. The central hub is a Cisco Router (28xx), owned be the ISP.

Troubleshooting so far with the ISP gives that on their end there were no changes and everything looks okay.

On our end there were no changes as well.

I am running 8.2.1. on the ASA5505, which are you running?

Many thanks and regards,

Frank

sarat1317 Wed, 03/10/2010 - 14:25

Are your tunnels bidirectional?

Did you try to initiate the tunnel from the other end?

Can you just try to use the lifetime instead of amount of data? I also remember seeing some issues using the same lifetime for all tunnels. I probably think you have the same lifetime as 28800 seconds for all the tunnels. So that may not be an issue in your case but worth changing the lifetime for the problem tunnel.

When you have the problem what does your sh crypto isakmp sa and sh crypto ipsec sa show for that tunnel on both ASA units?

Thanks

Sarat

nick.assar Fri, 03/12/2010 - 13:40

I have the exact same issue on 8.2 and about to downgrade back to 8.0 version.  The tunnel comes up fine, shows up on both ends.  I ping a host on the ASA running 8.2 and I can see the traffic being decrypted but nothing ever comes back over.  I've seen others with this issue as well, all running 8.2...

f.vanbreugel Fri, 05/13/2011 - 11:39

Dear Jesse,

Yep we solved it. It was a caveat in all pre 8.2.2.16 ASA firmware

Verzonden vanaf mijn iPhone 4

Op 13 mei 2011 om 20:34 heeft "jesse.zepeda" het volgende geschreven:

Frank van Breugel,

A new message was posted in the Discussion thread "Rekey data left of 0KB in ASA 5505-5510 seems to make IPSec SA fail":

https://supportforums.cisco.com/message/3357244#3357244

Author : jesse.zepeda

Profile : https://supportforums.cisco.com/people/jesse.zepeda

Message:

MARK BAKER Wed, 05/25/2011 - 12:05

Does the version upgrade need to be applied to the head-end firwall (5510) or the remote firewall (5505)? I may be having this same issue, but it only affects VPN connections from ASA firewalls and not from PIX firewalls, so I was thinking it would have to do with the 5505 code. Except that I see two ISAKMP SAs on the corporate side, one showing rekey. I hadn't checked the ASP table or looked to see if the data was at 0k.

The reason I ask which device needs to be running the fixed version is that our head-end firewall is already running 8.3(2) which is in the fixed version list. We are running 8.2(2)22 on our remote ASA5505 firewalls which are the only ones that are having the issue.

Thanks,
Mark

Actions

This Discussion