loss of site-to-site connection after 3 ~ 5 hours

jhshin · ‎10-14-2010

we have a site-to-site IPSec tunnel between ASA5510 in our datacenter and ASA5510 a customer's datacenter. the tunnel was been up for years without any issue. There is another firewall at the customer's premises in front of the ASA5510. recently, the tunnel started going down after a few hours and there are two things we can do to re-establish the connection. one is to reload one of two ASA on either side or change ipsec setting such as NAT-T to enabled (or disabled), then the tunnel comes right back up but the outage happens again.

what could this be? we tried to fix this for two weeks now and I've decided to reach out the collective wisdom of this community. please help us!

Marcin Latosiewicz · ‎10-15-2010

Are you using NAT-T (udp/4500) or "straight" udp/500 + ESP/AH?

If you're not using NAT-T maybe the problem with this is connection for IKE expiring on the firewall in front?
Maybe extending the timeout for udp/500 could help? On ASA/FWSM default timeout for UDP is 2 minutes of inactivity.

Marcin

jhshin · ‎10-15-2010

using NAT -T and ESP/AH. we have interesting traffic going across every 30 seconds so i don't think it's the time out issue.

what else could this be?

Marcin Latosiewicz · ‎10-15-2010

it cannot be NAT-T and esp/ah at the same time ;-)

If you're using NAT-T (and I mean if it's in effect not just configured) all your ESP/AH traffic is encapsulated into udp/4500.

If you're not using NAT-T you will have an IKE session up (udp/500) and ESP/AH channel.If you're using this and sending traffic all the time ESP/Ah will not time out but udp/500 may ...

Well start with checking basics vpn-session-time vpn-idle-timeout on VPN endpoints.

Monitor connections being torn created/torn down on the device in between.

Check logs on VPN endpoints to see what was the reason for tearing down the tunnel "Lost service"?

Marcin