I have a lan to lan scenario. The central office has an ASA5505 and the remote office has an SR520. The VPN connection is functional. My problem is about once a month or maybe more often (seems random) the remote office will lose connection to software we have hosted in the central office. Then a couple of seconds later they will be able to reconnect. This has stumped me because I run a continuous ping between the 2 sites both directions and see absolutely nothing wrong, no packet loss at the time of disconnect. Today it happened again. Looking at the Central Site router's log, I do see that the remote site's IPSEC rekey interval matches with the time they were dropped. I am wondering if it is taking too long to rekey. I currently have IPSEC with 3DES-168, MD5. My rekey interval is 3600 seconds. I believe this is the max rekey interval on the SR 520 or I would turn that up. I am wondering if there is a simpler algorithm I should use to avoid this problem. Should I think about using DES or less than 168? Is there any way to up the Rekey interval beyond 3600 on an SR520?
Right now I have no PFS on either end. Over the weekend I changed it to DES instead of 3DES. I also turned it to aggressive mode. I also found a way to change the rekey time up from 3600 seconds. I thought 3600 seconds was the max rekey interval on the SR520 but was able to use the "Set security-association lifetime seconds ..." command to set it for 1 day for the time being. Since it won't rekey until midnight that should let me know if that is the issue.
It's a tough one because as far as I can tell the ping to the remote office never drops. They just all lose connection to our application in the central server momentarily. Any other suggestions?
Firstly, I wouldn't recommend setting your VPN to be DES or aggressive mode. Both of these are easy to hack (especially if you set your re-keying times high).
As metioned by Farrukh the keys should be re-keyed before the lifetime expires. However perhaps one end of the VPN is rekeying early? This could be due to the keys expiring due to amount of data sent over VPN or perhaps due to DPD (due to packet loss).
Is your ping running from the same source and destination IP? ie is your ping definitely being covered by the same phase 2 SA?
Considering you don't loose a ping then You should also consider the fact that the network isn't at fault here. Perhaps the application isn't designed to run over a WAN and isn't tollerant to latency or packet loss. There maybe some application settings/tuning that will help.
Thanks for the excellent information. I will probably change it back up to 3DES this weekend or even tonight. So aggressive is a security risk? It sounded so great when I read the description. Well I will turn that off too. It doesn't matter as long as I don't rekey every hour. If I rekey only at night then it can take its time. Is once a day reauthentication unacceptable?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :