VPN Tunnel between two Cisco ASA5505 drops every 15-30 minutes

Answered Question

authentication retries but never reconnects.  I have to reboot the appli

ance to bring tunnel back up.

Found the following in syslogs:

2010-07-07 13:28:34 Local4.Notice 10.0.0.254 :Jul 07 10:22:22 UTC: %ASA-vpn-5-713259: Group = 74.126.85.149, IP = 74.126.85.149, Session is being torn down. Reason: Lost Service
2010-07-07 13:28:34 Local4.Warning 10.0.0.254 :Jul 07 10:22:22 UTC: %ASA-auth-4-113019: Group = 74.126.85.149, Username = 74.126.85.149, IP = 74.126.85.149, Session disconnected. Session Type: IPsec, Duration: 0h:36m:03s, Bytes xmt: 584567664, Bytes rcv: 156692759, Reason: Lost Service

I have this problem too.
1 vote
Correct Answer by Marcin Latosiewicz about 6 years 5 months ago

David,

That indeed could be the reason.

Any chance you can apply some sort of shaping? (Bad comes to worse ASA can do it quite decently, but only in outbound direction AFAIR)

Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Marcin Latosiewicz Wed, 07/07/2010 - 11:41

David,

First of all can you share ASA versions and config? Is this a L2L tunnel (looks like it)?

Possibly related to IKE keepalives? If it was anything graceful there would be a different delete reason. Is the reason always the same?


Maybe you could try remove iksamp keepalives and see if the tunnels stays up?

Marcin

Marcin Latosiewicz Wed, 07/07/2010 - 11:51

David,

This is of course a test, only.To see if the drop is related to keepalives or some real connectivity issue keepalives are detecting.

In normal scenario you would want to have isakmp keepalives enabled on both sides.

Is there any chance any of the sides has idle timeout or anything of that sort configured?

-------

show run crypto

show run tunnel-g

show run group-po

--------

taken on both sides would help.

And after "lost service" is reported:

--------

show crypto isa sa

show crypto ipsec sa

--------

also from both sides.

We want to check the config and state of negotiation after tunnel drops.

Marcin

Far End:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 2.2.2.2

crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400


tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy toCorporateGrpPolicy
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable

group-policy toCorporateGrpPolicy internal
group-policy toCorporateGrpPolicy attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec

sh crypto isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 2.2.2.2
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3

sho crypto ipsec sa

There are no ipsec sas

Near End:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy toDRGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable

group-policy toDRGrpPolicy internal
group-policy toDRGrpPolicy attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec

sh crypto isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 1.1.1.1
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

sh crypto ipsec sa

There are no ipsec sas

Marcin Latosiewicz Wed, 07/07/2010 - 12:12

David,

This has connectivity problem written all over it.

Far end:

1   IKE Peer: 2.2.2.2
    Type    : user            Role    :  responder
    Rekey   : no              State   : MM_WAIT_MSG3

We received Main mode message 1, sent main mode message 2, we're waiting for main mode message 3 from other side.

Near end:

1   IKE Peer: 1.1.1.1
    Type    : user            Role    :  initiator
    Rekey   : no              State   : MM_WAIT_MSG2

We've send main mode message 1, and we're waiting for message 2.

If the two outputs were taken at the same time, there's something blocking IKE...  ie. something is blocking udp/500 message from far end to near end. Near to far appears to be fine.

Marcin

Correct Answer
Marcin Latosiewicz Wed, 07/07/2010 - 13:34

David,

That indeed could be the reason.

Any chance you can apply some sort of shaping? (Bad comes to worse ASA can do it quite decently, but only in outbound direction AFAIR)

Marcin

Actions

This Discussion