Re: IPSEC Site-to-Site Tunnel drops every 1hour

brianbono · ‎10-01-2007

hi guys,

need help on my ASA 5510 that establishes a site-to-site VPN tunnel to a Multitech Firewall.

The tunnel normally drops after an hour of connectivity and would reconnect automatically. The problem is I have a telnet application that connects to the other end of the tunnel that would end up also getting disconnected. If i do a consistent ping to a remote host on the other side of the VPN tunnel i would also get one "request timeout" when the tunnel drops.

below is my vpn config:

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

crypto map outside_ISP_map 1 match address outside_ISP_1_cryptomap

crypto map outside_ISP_map 1 set peer 207.224.XXX.XXX

crypto map outside_ISP_map 1 set transform-set ESP-3DES-MD5

crypto map outside_ISP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO

_MAP

crypto map outside_ISP_map interface outside_ISP

crypto isakmp identity address

crypto isakmp enable outside_ISP

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

attached also is a screenshot of the Real-Time Log Viewer.

brianbono · ‎10-01-2007

additional info:

asa001# sh isakmp sa detail

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 207.224.xxx.xxx

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : MD5

Auth : preshared Lifetime: 86400

Lifetime Remaining: 82985

asa001# sh isakmp stats

Global IKE Statistics

Active Tunnels: 1

Previous Tunnels: 668

In Octets: 919211

In Packets: 7753

In Drop Packets: 2241

In Notifys: 1342

In P2 Exchanges: 830

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 37

Out Octets: 764348

Out Packets: 6411

Out Drop Packets: 21

Out Notifys: 1584

Out P2 Exchanges: 452

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 1156

Initiator Tunnels: 351

Initiator Fails: 9

Responder Fails: 4

System Capacity Fails: 0

Auth Fails: 2

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

asa001#

russ · ‎10-02-2007

Seems like the remote peer has negotiated a phase 2 liftime of 1 hour (3600 seconds). The default for the ASA is 8 hours (28,800 seconds) and 1 hour (3600 secs for a Cisco router). Both peers will negotiate the lowest lifetime value.

You'll need to reconfigure the remote peer's phase 2 liftime to match the ASA value of 8 hours, or increase both peer lifetimes, if you wish the tunnel to stay up longer.

"sh crypto ipsec sa" will display the phase 2 remaining sa lifetime.

brianbono · ‎10-02-2007

the remote peer also has it set to 86400

russ · ‎10-02-2007

Are you referring to the phase 1 lifetime or phase 2 lifetime value?

brianbono · ‎10-02-2007

does my Global Timeouts set on the connection to 1hr had anything to do with the tunnel drops?

"timeout conn 1:00:00"

flopez · ‎10-03-2007

I had a similar issue but my tunnel between PIX to VPN would drop once a day. It was with the encryption being different. One was 3des and the other was not. The tunnel would work, but after 18 hours or so, the tunnel would drop. This happened very often.

tato386 · ‎10-03-2007

I am also having a similar experience between a PIX and an EdgeWater IAD router. Tunnel drops every day or two and takes 5-10 minutes to come back up. I don't have control over the EdgeWater device but would like to setup some kind of logging on my side to see if I can figure out what is going on. I tried "logging buffered debug" but that gives WAY too much info. Is there a way that I can have the output of "debug cry" type command go to a buffer to review it once a day or so?

Thanks,

Diego

brianbono · ‎10-03-2007

hi guys,

I was able to solve this problem yesterday. All I did was to go to the remote vpn tab instead of the site-to-site vpn tab of my ASA to configure the Maximum Connect value under the default group policy. The reason for the was my site-to-site inherited that policy that says the tunnel can only be for 1hr and must reconnect in order to keep the tunnel. I have changed the settings now to unlimited and finally my vpn is working fine.

cheers

elrasheed1 · ‎01-26-2018

Hi all,

I have the same problem which has been explained by brianbono but, the difference is that my default group policy max connect time is unlimited. Still facing the disconnection after 1 hour and automatic reconnect (single request time out). What could be causing this issue.