cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13859
Views
10
Helpful
8
Replies

VPN Tunnel between two Cisco ASA5505 drops every 15-30 minutes

dreim
Level 1
Level 1

authentication retries but never reconnects.  I have to reboot the appli

ance to bring tunnel back up.

Found the following in syslogs:

2010-07-07 13:28:34 Local4.Notice 10.0.0.254 :Jul 07 10:22:22 UTC: %ASA-vpn-5-713259: Group = 74.126.85.149, IP = 74.126.85.149, Session is being torn down. Reason: Lost Service
2010-07-07 13:28:34 Local4.Warning 10.0.0.254 :Jul 07 10:22:22 UTC: %ASA-auth-4-113019: Group = 74.126.85.149, Username = 74.126.85.149, IP = 74.126.85.149, Session disconnected. Session Type: IPsec, Duration: 0h:36m:03s, Bytes xmt: 584567664, Bytes rcv: 156692759, Reason: Lost Service

1 Accepted Solution

Accepted Solutions

David,

That indeed could be the reason.

Any chance you can apply some sort of shaping? (Bad comes to worse ASA can do it quite decently, but only in outbound direction AFAIR)

Marcin

View solution in original post

8 Replies 8

Marcin Latosiewicz
Cisco Employee
Cisco Employee

David,

First of all can you share ASA versions and config? Is this a L2L tunnel (looks like it)?

Possibly related to IKE keepalives? If it was anything graceful there would be a different delete reason. Is the reason always the same?


Maybe you could try remove iksamp keepalives and see if the tunnels stays up?

Marcin

they are both running 8.3(1)4 and yes it is a L2L tunnel.  I will disable keep alives, as well.

David,

This is of course a test, only.To see if the drop is related to keepalives or some real connectivity issue keepalives are detecting.

In normal scenario you would want to have isakmp keepalives enabled on both sides.

Is there any chance any of the sides has idle timeout or anything of that sort configured?

-------

show run crypto

show run tunnel-g

show run group-po

--------

taken on both sides would help.

And after "lost service" is reported:

--------

show crypto isa sa

show crypto ipsec sa

--------

also from both sides.

We want to check the config and state of negotiation after tunnel drops.

Marcin

Far End:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 2.2.2.2

crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400


tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy toCorporateGrpPolicy
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable

group-policy toCorporateGrpPolicy internal
group-policy toCorporateGrpPolicy attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec

sh crypto isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 2.2.2.2
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3

sho crypto ipsec sa

There are no ipsec sas

Near End:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy toDRGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable

group-policy toDRGrpPolicy internal
group-policy toDRGrpPolicy attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec

sh crypto isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 1.1.1.1
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

sh crypto ipsec sa

There are no ipsec sas

David,

This has connectivity problem written all over it.

Far end:

1   IKE Peer: 2.2.2.2
    Type    : user            Role    :  responder
    Rekey   : no              State   : MM_WAIT_MSG3

We received Main mode message 1, sent main mode message 2, we're waiting for main mode message 3 from other side.

Near end:

1   IKE Peer: 1.1.1.1
    Type    : user            Role    :  initiator
    Rekey   : no              State   : MM_WAIT_MSG2

We've send main mode message 1, and we're waiting for message 2.

If the two outputs were taken at the same time, there's something blocking IKE...  ie. something is blocking udp/500 message from far end to near end. Near to far appears to be fine.

Marcin

I think we were saturating out internet connection we have a 50/20M fios connections and we are transmitting

20Mbps.

David,

That indeed could be the reason.

Any chance you can apply some sort of shaping? (Bad comes to worse ASA can do it quite decently, but only in outbound direction AFAIR)

Marcin

Investigating that now.  Thanks for you help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: