cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4759
Views
10
Helpful
10
Replies

Rekey data left of 0KB in ASA 5505-5510 seems to make IPSec SA fail

Laocoonte
Level 1
Level 1

Hello

I have a Central Office with a Cisco ASA 5510 connected to several remote locations with ASA5505

The site to site VPNs work well, but sometimes some of them fail. After some research I found that, it that situation, the IKE and IPSec SAs are working, but traffic only crosses the tunnel in one direction. As an example, if I ping a remote host, it receives the ping request and sends the ping reply, but this reply never crosses the tunnel back.

As far as I know, it seems to happen randomly, at least I couldn't find a pattern. I tried logging out the tunnel by means of the ASDM but, when the tunnel re-establishes, the same happens. The only solution is to force a reload of the ASA5505 in the remote location, and then it starts to work normally (I can't do a reload on the 5510, as it would break the connection with the rest of remote locations).

The only clue I have is that it can only affect one of the several IPSec SAs of the IKE session while the rest of SAs of that session keep on working and, when failing, the data rekey lifetime of that IPSec SA is 0 KB:

WORKING SA:
  IPSec:
  Session ID   : 2
  Local Addr   : X.X.X.X/255.255.255.0/0/0
  Remote Addr  : X.X.X.X/255.255.255.0/0/0
  Encryption   : 3DES                   Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 18401 Seconds
  Rekey Int (D): 3825000 K-Bytes        Rekey Left(D): 3824715 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
  Bytes Tx     : 22570303               Bytes Rx     : 35752322
  Pkts Tx      : 490855                 Pkts Rx      : 408700

FAILING SA:
  IPSec:
  Session ID   : 3
  Local Addr   : X.X.X.X/255.255.255.0/0/0
  Remote Addr  : X.X.X.X/255.255.255.0/0/0
  Encryption   : 3DES                   Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 14862 Seconds
  Rekey Int (D): 3825000 K-Bytes        Rekey Left(D): 0 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
  Bytes Tx     : 67264                  Bytes Rx     : 0
  Pkts Tx      : 1051                   Pkts Rx      : 0

This led me to notice that, even when both 5510 and 5505 have the same traffic volume lifetime settings for the SA, the Rekey Data interval of the SAs is different between 5505 and 5510 (4275000 KB for 5505 and 3825000 KB for 5510 for by default setting of 4608000 KB; I tried changing this value to 5000000 in both devices and their new intervals were also different between them). I don't know if it's something to do with my problem, but seems quite odd.

I've looked for a solution in manuals and also browsed the Internet but with no result, so I would be very grateful if someone could give me some advice.

Thanks and regards

10 Replies 10

f.vanbreugel
Level 1
Level 1

Hello,

I have the seem problem starting 5 March on two remote ASA5505 boxes. The central hub is a Cisco Router (28xx), owned be the ISP.

Troubleshooting so far with the ISP gives that on their end there were no changes and everything looks okay.

On our end there were no changes as well.

I am running 8.2.1. on the ASA5505, which are you running?

Many thanks and regards,

Frank

sarat1317
Level 1
Level 1

Are your tunnels bidirectional?

Did you try to initiate the tunnel from the other end?

Can you just try to use the lifetime instead of amount of data? I also remember seeing some issues using the same lifetime for all tunnels. I probably think you have the same lifetime as 28800 seconds for all the tunnels. So that may not be an issue in your case but worth changing the lifetime for the problem tunnel.

When you have the problem what does your sh crypto isakmp sa and sh crypto ipsec sa show for that tunnel on both ASA units?

Thanks

Sarat

nick.assar
Level 1
Level 1

I have the exact same issue on 8.2 and about to downgrade back to 8.0 version.  The tunnel comes up fine, shows up on both ends.  I ping a host on the ASA running 8.2 and I can see the traffic being decrypted but nothing ever comes back over.  I've seen others with this issue as well, all running 8.2...

Did you find a fix for this?

Jesse Zepeda
Level 5
Level 5

Did you find a fix for this?

Dear Jesse,

Yep we solved it. It was a caveat in all pre 8.2.2.16 ASA firmware

Verzonden vanaf mijn iPhone 4

Op 13 mei 2011 om 20:34 heeft "jesse.zepeda" het volgende geschreven:

Frank van Breugel,

A new message was posted in the Discussion thread "Rekey data left of 0KB in ASA 5505-5510 seems to make IPSec SA fail":

https://supportforums.cisco.com/message/3357244#3357244

Author : jesse.zepeda

Profile : https://supportforums.cisco.com/people/jesse.zepeda

Message:

Would you happen to have the bug ID?

Hi Jesse,

Here it is, sorry for the delay.

CSCtb53186 Duplicate ASP crypto table entry causes firewall to not encrypt traffic

Met vriendelijke groet,

Frank van Breugel

Technisch Consultant

E   f.vanbreugel@caase.com

M 06-12092679

The Corridor

Hengelosestraat 525

7521 AG Enschede

Postbus 783

7500 AT Enschede 

T 088-432 00 00

I www.caase.com

Does the version upgrade need to be applied to the head-end firwall (5510) or the remote firewall (5505)? I may be having this same issue, but it only affects VPN connections from ASA firewalls and not from PIX firewalls, so I was thinking it would have to do with the 5505 code. Except that I see two ISAKMP SAs on the corporate side, one showing rekey. I hadn't checked the ASP table or looked to see if the data was at 0k.

The reason I ask which device needs to be running the fixed version is that our head-end firewall is already running 8.3(2) which is in the fixed version list. We are running 8.2(2)22 on our remote ASA5505 firewalls which are the only ones that are having the issue.

Thanks,
Mark

Had this issue tonight.

Thanks to the forum, I know why, and how to fix it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: