I am trying to find out the source of disconnects between Outlook (LAN) users and hosted mail services (via Exchange) at the far end of an IPSec tunnel.
A site-to-site tunnel has been setup between the customer's ASA5510 and a PIX515 on the provider side. User are able to send/receive messages (via Exchange services accessible through the tunnel) without problems; however, users are noticing that intermittenly their Outlook clients are showing that they are in "Offline" status, presumably because there was a brief timeout between the Outlook client and the Exchange server. The functional problem is that if users don't know that Outlook is in "Offline" status, they won't hit Send/Recieve (which works) to check for new messages. This action also bring Outlook to "Online" status.
I know that the tunnel is not down as I have pinged the Exchange server from a LAN PC for 4 days without any significant packet losses. Could there be something within the ASA5510, like a session table, that is being cleared and when the Outlook client attempts to check-in with the Exchange server? Perhaps the ASA5510 sees it as an invalid traffic session?
Basically, as a logical network, the tunnel appears to have a high degree of uptime yet the users get disconnected intermittently. There are no indications that the disconnection occurs at a certain time of the day or day of the week. Its intermittent and seems to occur randomly for users about 2 or 3 times per week.
The ASA does have a variety of session timeouts that could be causing your symptoms. The likely timers are the "conn" and "xlate" timeoutes which default to 1 hour and 3 hours, respectively. I'd suggest looking in your ASA logs for message number 302014, which is the "teardown" message for TCP connections. This message lists the reason for the teardown, so if it says "Conn-timeout" or "Idle Timeout" as the reason, that would confirm this as the cause. Note that this message is at the "Informational" level, so to see it you'll need to enable logging at either that level or the "Debugging" level to see it, which will also enable a lot of other messages. A syslog server will be very useful in this situation, since normal operation in a PIX/ASA generates a lot of teardown messages.
The other thing you could try would be to increase or disable the timeouts. The old defaults used to be 12 hours and 24 hours, but you can disable the timeout by setting it to zero. Personally, I'd be inclined to try something on the order of 8 hours, since that's a typical work day.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...