Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
4
Replies

Site-to-Site Tunnel Drops intermittingly

dprice
Level 1
Level 1

‎06-15-2010 01:34 PM

I currently have seven site-to-site VPN's configured.  With the exception of the 1 that I can control both sides of, they all drop intermitingly.

To simplify this question I want to focus on one of these tunnels.

My side is an ASA5520.

The other side is a Checkpoint Device.

The tunnel will drop approx. one a day though the time of day varies.

As a measure of network stability,one of the other tunnels has both endpoints using Cisco hardware, ASA5520 and a 2811 router. This tunnel has been up for several weeks.

I have confirmed to the best of my knowledge that the Phase 1 and Phase 2 timers both match.

Attached is a log snippet showing the rekey negotiations that always seems to precede the tunnel dropping.

Any thoughts would be appreciated.

I am attempting to capture additional debug data and will post when I do so.

UPDATE:

After running 'debug crypto isakmp 254'  for several hours I captured 3 phase II rekeying events.  Neither caused the tunnel to drop.

However I did notice that they were occurring exactly 51 minutes apart even though the Phase II rekey duration timer is set to 60 minutes.

Labels:
67820-asa520_fwlog20100615.txt.zip
0 Helpful
4 Replies 4

TODD RIEMENSCHNEIDER
Level 1
Level 1

‎06-16-2010 09:08 AM

I noticed that in your logs it states peer does not support keepalives. Could you have the checkpoint enable ike keep-alives or dead peer detection?

Wondering if that could help.

-Todd

0 Helpful

dprice
Level 1
Level 1
In response to TODD RIEMENSCHNEIDER

‎06-16-2010 10:33 AM

Todd,

Thanks I did notice that as well and disabled keep alives on my side.  I am waiting to see if that makes a difference.

0 Helpful

dprice
Level 1
Level 1
In response to TODD RIEMENSCHNEIDER

‎06-18-2010 08:42 AM

After a false start with determing how to disable keepalives.

It was not enough to remove the config line that enabled them.  I had to specifically disable them.

That may have solved the problem.  I am hesitant to jinx it by saying that was the answer just yet but the tunnel has now been up for over 24 hours which is a record.

Thanks again.

0 Helpful

slinzmeier
Level 1
Level 1

‎06-16-2010 04:15 PM

Make these enties in the ASA 5505:

isakmp keepalive 10       

isakmp policy 20 authentication pre-share                                        

isakmp policy 20 encryption 3des                               

isakmp policy 20 hash md5                        

isakmp policy 20 group 2         

(should solve the problem)             

0 Helpful
Customers Also Viewed These Support Documents