need help on my ASA 5510 that establishes a site-to-site VPN tunnel to a Multitech Firewall.
The tunnel normally drops after an hour of connectivity and would reconnect automatically. The problem is I have a telnet application that connects to the other end of the tunnel that would end up also getting disconnected. If i do a consistent ping to a remote host on the other side of the VPN tunnel i would also get one "request timeout" when the tunnel drops.
below is my vpn config:
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
crypto map outside_ISP_map 1 match address outside_ISP_1_cryptomap
crypto map outside_ISP_map 1 set peer 207.224.XXX.XXX
crypto map outside_ISP_map 1 set transform-set ESP-3DES-MD5
crypto map outside_ISP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO
crypto map outside_ISP_map interface outside_ISP
crypto isakmp identity address
crypto isakmp enable outside_ISP
crypto isakmp policy 10
no crypto isakmp nat-traversal
attached also is a screenshot of the Real-Time Log Viewer.
asa001# sh isakmp sa detail
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 207.224.xxx.xxx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 82985
asa001# sh isakmp stats
Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 668
In Octets: 919211
In Packets: 7753
In Drop Packets: 2241
In Notifys: 1342
In P2 Exchanges: 830
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 37
Out Octets: 764348
Out Packets: 6411
Out Drop Packets: 21
Out Notifys: 1584
Out P2 Exchanges: 452
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 1156
Initiator Tunnels: 351
Initiator Fails: 9
Responder Fails: 4
System Capacity Fails: 0
Auth Fails: 2
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Seems like the remote peer has negotiated a phase 2 liftime of 1 hour (3600 seconds). The default for the ASA is 8 hours (28,800 seconds) and 1 hour (3600 secs for a Cisco router). Both peers will negotiate the lowest lifetime value.
You'll need to reconfigure the remote peer's phase 2 liftime to match the ASA value of 8 hours, or increase both peer lifetimes, if you wish the tunnel to stay up longer.
"sh crypto ipsec sa" will display the phase 2 remaining sa lifetime.
does my Global Timeouts set on the connection to 1hr had anything to do with the tunnel drops?
"timeout conn 1:00:00"
I had a similar issue but my tunnel between PIX to VPN would drop once a day. It was with the encryption being different. One was 3des and the other was not. The tunnel would work, but after 18 hours or so, the tunnel would drop. This happened very often.
I am also having a similar experience between a PIX and an EdgeWater IAD router. Tunnel drops every day or two and takes 5-10 minutes to come back up. I don't have control over the EdgeWater device but would like to setup some kind of logging on my side to see if I can figure out what is going on. I tried "logging buffered debug" but that gives WAY too much info. Is there a way that I can have the output of "debug cry" type command go to a buffer to review it once a day or so?
I was able to solve this problem yesterday. All I did was to go to the remote vpn tab instead of the site-to-site vpn tab of my ASA to configure the Maximum Connect value under the default group policy. The reason for the was my site-to-site inherited that policy that says the tunnel can only be for 1hr and must reconnect in order to keep the tunnel. I have changed the settings now to unlimited and finally my vpn is working fine.
I have the same problem which has been explained by brianbono but, the difference is that my default group policy max connect time is unlimited. Still facing the disconnection after 1 hour and automatic reconnect (single request time out). What could be causing this issue.