Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6483
Views
0
Helpful
2
Replies

ASA 5510: flapping s2s VPNs

Go to solution
Sergey_Yakovets_2
Level 1
Level 1

‎07-07-2010 09:44 PM

Hello everyone,

I have a hub-n-spoke VPN network with 5510 boxes at several locations.

Users complaining that s2s links are flapping from time to time for two locations.

Here is log output for the moments when links are torn down:

First spoke:

07-07-2010    20:17:09    Local4.Notice    <HUB-ASA-IP>    %ASA-5-713259: Group = <SPOKE1-ASA-IP>, IP = <SPOKE1-ASA-IP>, Session is being torn down. Reason: User Requested
07-07-2010    20:17:09    Local4.Notice    <HUB-ASA-IP>    %ASA-5-713050: Group = <SPOKE1-ASA-IP>, IP = <SPOKE1-ASA-IP>, Connection terminated for peer <SPOKE1-ASA-IP>.  Reason: Peer Terminate  Remote Proxy 10.3.0.0, Local Proxy 172.16.100.0

Second spoke:


07-07-2010    18:34:45    Local4.Notice    <HUB-ASA-IP>    %ASA-5-713259: Group = <SPOKE1-ASA-IP>, IP = <SPOKE2-ASA-IP>, Session is being torn down. Reason: Idle Timeout

07-07-2010    18:34:45    Local4.Notice    <HUB-ASA-IP>    %ASA-5-713050: Group = <SPOKE1-ASA-IP>, IP = <SPOKE2-ASA-IP>, Connection terminated for peer <SPOKE2-ASA-IP>.  Reason: IPSec SA Idle Timeout  Remote Proxy 10.5.0.0, Local Proxy 172.16.100.0

I believe the text in bold is the reason. But I am not sure why remote site1 is requesting connection termination and why SA for site2 is timeouts.

I have SA lifitime for 24h\4Gb at each ASA and traffic volume or amount of time never exceed in this cases, keepalives are enabled at the hub ASA as well. I see a number or "flappings" through the day with the same termination reasons as I presented above. Does anyone have an idea or suggestion why s2s VPNs are flapping and how to make them more stable even if traffic is not flowing across.

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-08-2010 03:29 PM

Sergey,

Any chance you have vpn idle timeout configured on either of the sides (it can be in group-policy maybe default?)  (show run all group-policy | i vpn)

"IPSec SA Idle Timeout"

HTH,

Marcin

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-08-2010 03:29 PM

Sergey,

Any chance you have vpn idle timeout configured on either of the sides (it can be in group-policy maybe default?)  (show run all group-policy | i vpn)

"IPSec SA Idle Timeout"

HTH,

Marcin

0 Helpful

Go to solution
Sergey_Yakovets_2
Level 1
Level 1
In response to Marcin Latosiewicz

‎07-08-2010 08:40 PM

Hi Martin,

Thanks for the hint. I've added:

group-policy DfltGrpPolicy attributes
vpn-idle-timeout none

I'll check the spokes settings and adjust them as well.

Hope it will help.

Thanks again!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents