I've got SA520's connecting to an ASA5500 Head end via regular ipsec vpn tunnels. When the head end drops the tunnel, all of the SA520's will never re-establish their tunnels, while the ASA5505's in the field will re-establish. Rebooting the SA520's will re-establish the tunnel for about 1-2 minutes then the tunnel drops again, according to the logs in the SA520, it drops the tunnel immediatly followin the SA520 updating it's date/time.
The SA520 boots up with a date of 12/31/1999 then creates a tunnel to the ASA5510, then updates it's date/time thus expiring the current SA. However viewing the VPN Status on the SA520 shows the tunnel is up, but clearly it's not, nor does the ASA at the head end show a tunnel to be established with that SA520.
There are only 2 ways to re-establish the tunnel:
1. disable the VPN on the SA520, reboot, wait a few minutes then Enable the VPN's and they will connect and stay connected.
2. Delete the VPN config from the SA520, rebuild it and it will connect and stay connected.
Does anybody have a workaround for this erroneous date/time issue on the SA520's? I purchased 5 of them last year to replace the more expensive ASA5505's we have in the field but now that I'm deploying them I'm finding my VPN over the SA520's is not very resilient.
Here are the logs immediately following a reboot. The SA520 comes up with a date of 12/31/99, it establishes the tunnel then it gets a new date and expires the SA's. As you can see the tunnel is established before the date changes and I'm able to ping across the tunnel until it expires the SA, following the expired SA's nothing passes however the web interface shows the tunnel to be up even though it's not.
Fri Dec 31 18:07:39 1999 (GMT -0600): [fwrol01] [IKE] INFO: IPsec-SA established: ESP/Tunnel xx.xx.xx.2->xx.xx.xx.178 with spi=226923459(0xd8693c3)
Fri Dec 31 18:07:39 1999 (GMT -0600): [fwrol01] [IKE] INFO: IPsec-SA established: ESP/Tunnel xx.xx.xx.178->xx.xx.xx.2 with spi=3344916756(0xc75f6114)
Mon Feb 06 15:36:11 2012 (GMT -0600): [fwrol01] [IKE] INFO: Phase 2 sa expired xx.xx.xx.178-xx.xx.xx.50
Mon Feb 06 15:36:11 2012 (GMT -0600): [fwrol01] [IKE] INFO: Phase 2 sa expired xx.xx.xx.178-xx.xx.xx.2
No solution, warranty on these SMB devices is apparently 3 months and had expired before I got my 2 test SA520's configed and deployed.
Considering little or zero suggestions on this board I suspect there aren't very many people out there running these in similar scenarios. The firmware that came on the SA520 originally was buggy on half of the features. Upgrade fixed most of the wireless and vlan issues, improved the IPSec, but all of them still have buggy features.
It looks like from the logs that you have 2 vpn tunnels both have expired their Phase 1 SA at the same time. It looks like after the SA expired for both tunnels the SA could not find a matching policy on the remote devices to re-establish the tunnel for what ever reason. It is possible that the other side of the tunnels didn't remove their SA's or something has changed in the policy.
You could make sure the policies match on both sides turn off PFS and turn on DPD on both sides. Make sure the lifetimes match on both sides as well.
Article ID:3091 Reboot and Factory Default Reset on ISA500 Series
Integrated Security Appliances Objective Reboot or restart of the
network device is made when certain changes in the settings need reboot
or if the device is frozen. The configuration setti...
Article ID:3403 WAN Quality of Service (QoS) Policy Profiles Settings on
ISA500 Series Integrated Security Appliances Objective Wide Area Network
(WAN) Quality of Service (QoS) policy profiles manage traffic through
classed-based profiles. These profiles ...
Article ID:2922 Cisco QuickVPN Installation Tips for Windows Operating
Systems For a video showing installation tips on Quick VPN, visit
http://youtu.be/hHu2z6A78N8 Objective Cisco QuickVPN is a free software
designed for remote access to a network. It is...