Remote Peer terminates connection immediately after rekeying
I have an obscure problem. I have an ASA 5510 as the hub device in my network with 33 spoke nodes. The spokes are a mix of 2821 and 2651 routers. My network is fully meshed (to support site-to-site VOIP). I use IPSEC (L2TP) tunnels and âhair pinningâ For the most part, everything seems to operate fine with the occasional exception of the rekeying process.
At random intervals when the rekeying process takes place, Phase 2 completes and then immediately the Remote Peer terminates the connection and the rekeying process starts again. This can happen 30 or 40 times in a 25 or 30 second period. The normal rekeying process (lifetime security association) happens in a second or two. During the drawn out rekeying process voice calls between sites experience âone-wayâ or âno-wayâ audio. Examination of the ASA logs reveals that the remote proxy subnet in the peer termination seems to always be my voice VLAN at the remote site.
I currently have IPSEC debugging turned on in one of my remote routers to try and capture more info (cause of the termination) but it is so random it is like looking for a needle in a haystack.
Anyone seen this before or have any ideas why the peer would act like this?
Re: Remote Peer terminates connection immediately after rekeying
If the users are frequently disconnected across the L2L tunnel, the problem can be the lesser lifetime configured in ISAKMP SA. If any discrepancy occurs in the ISAKMP lifetime, you can recieve the %PIX-5-713092: Group = x.x.x.x, IP = x.x.x.x, Failure during phase 1 rekeying attempt due to collision error message. Configure the same value in both the peers in order to fix it.
The default is 86,400 seconds or 24 hours. As a general rule, a shorter lifetime provides more secure ISAKMP negotiations (up to a point), but, with shorter lifetimes, the security appliance sets up future IPsec SAs more quickly.
A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the policy of the remote peer specifies a lifetime less than or equal to the lifetime in the compared policy. If the lifetimes are not identical, the shorter lifetime-from the policy of the remote peer-is used. If no acceptable match is found, the IKE refuses negotiation, and the IKE SA is not established.
Specify the SA lifetime. This examples sets a lifetime of 4 hours (14400 seconds). The default is 86400 seconds (24 hours).
hostname(config)#isakmp policy 2 lifetime 14400
R2(config)#crypto isakmp policy 10
If the maximum configured lifetime is exceeded, you receive this error message when the VPN connection is terminated:
Secure VPN Connection terminated locally by the Client. Reason 426: Maximum Configured Lifetime Exceeded.
In order to resolve this error message, set the lifetime value to 0 in order to set the lifetime of an IKE security association to infinity. The VPN will always be connection and will not terminate.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...