Re: L2L IPSec VPN Dropping

itccv0822 · ‎03-19-2009

Hi,

I have a lan to lan scenario. The central office has an ASA5505 and the remote office has an SR520. The VPN connection is functional. My problem is about once a month or maybe more often (seems random) the remote office will lose connection to software we have hosted in the central office. Then a couple of seconds later they will be able to reconnect. This has stumped me because I run a continuous ping between the 2 sites both directions and see absolutely nothing wrong, no packet loss at the time of disconnect. Today it happened again. Looking at the Central Site router's log, I do see that the remote site's IPSEC rekey interval matches with the time they were dropped. I am wondering if it is taking too long to rekey. I currently have IPSEC with 3DES-168, MD5. My rekey interval is 3600 seconds. I believe this is the max rekey interval on the SR 520 or I would turn that up. I am wondering if there is a simpler algorithm I should use to avoid this problem. Should I think about using DES or less than 168? Is there any way to up the Rekey interval beyond 3600 on an SR520?

Thanks a lot for any information.

Farrukh Haroon · ‎03-23-2009

Under normal operation, the devices are supposed to re-key BEFORE the current key is about to expire. What are your PFS settings?

Regards

Farrukh

itccv0822 · ‎03-23-2009

Hi,

Right now I have no PFS on either end. Over the weekend I changed it to DES instead of 3DES. I also turned it to aggressive mode. I also found a way to change the rekey time up from 3600 seconds. I thought 3600 seconds was the max rekey interval on the SR520 but was able to use the "Set security-association lifetime seconds ..." command to set it for 1 day for the time being. Since it won't rekey until midnight that should let me know if that is the issue.

It's a tough one because as far as I can tell the ping to the remote office never drops. They just all lose connection to our application in the central server momentarily. Any other suggestions?

Farrukh Haroon · ‎03-23-2009

Maybe the application is more sensitive than the ping timeout. You could try a lower ms value for the ping timeout.

Regards

Farrukh

JamesLuther · ‎03-24-2009

Hi,

Firstly, I wouldn't recommend setting your VPN to be DES or aggressive mode. Both of these are easy to hack (especially if you set your re-keying times high).

As metioned by Farrukh the keys should be re-keyed before the lifetime expires. However perhaps one end of the VPN is rekeying early? This could be due to the keys expiring due to amount of data sent over VPN or perhaps due to DPD (due to packet loss).

Is your ping running from the same source and destination IP? ie is your ping definitely being covered by the same phase 2 SA?

Considering you don't loose a ping then You should also consider the fact that the network isn't at fault here. Perhaps the application isn't designed to run over a WAN and isn't tollerant to latency or packet loss. There maybe some application settings/tuning that will help.

Regards

itccv0822 · ‎03-24-2009

Hi,

Thanks for the excellent information. I will probably change it back up to 3DES this weekend or even tonight. So aggressive is a security risk? It sounded so great when I read the description. Well I will turn that off too. It doesn't matter as long as I don't rekey every hour. If I rekey only at night then it can take its time. Is once a day reauthentication unacceptable?