VPN Tunnel between two Cisco ASA5505 drops every 15-30 minutes

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Post Reply
Guest

VPN Tunnel between two Cisco ASA5505 drops every 15-30 minutes

Post by Guest » Tue Feb 14, 2006 12:03 am

authentication retries but never reconnects.  I have to reboot the appliance to bring tunnel back up. Found the following in syslogs:2010-07-07 13:28:34 Local4.Notice 10.0.0.254 :Jul 07 10:22:22 UTC: %ASA-vpn-5-713259: Group = 74.126.85.149, IP = 74.126.85.149, Session is being torn down. Reason: Lost Service2010-07-07 13:28:34 Local4.Warning 10.0.0.254 :Jul 07 10:22:22 UTC: %ASA-auth-4-113019: Group = 74.126.85.149, Username = 74.126.85.149, IP = 74.126.85.149, Session disconnected. Session Type: IPsec, Duration: 0h:36m:03s, Bytes xmt: 584567664, Bytes rcv: 156692759, Reason: Lost Service

Guest

Re:VPN Tunnel between two Cisco ASA5505 drops every 15-30 minutes

Post by Guest » Tue Feb 14, 2006 12:38 am

David, First of all can you share ASA versions and config? Is this a L2L tunnel (looks like it)? Possibly related to IKE keepalives? If it was anything graceful there would be a different delete reason. Is the reason always the same?Maybe you could try remove iksamp keepalives and see if the tunnels stays up? Marcin

Guest

Re:VPN Tunnel between two Cisco ASA5505 drops every 15-30 minutes

Post by Guest » Tue Feb 14, 2006 1:32 am

they are both running 8.3(1)4 and yes it is a L2L tunnel.  I will disable keep alives, as well.

Guest

Re:VPN Tunnel between two Cisco ASA5505 drops every 15-30 minutes

Post by Guest » Tue Feb 14, 2006 2:53 am

David, This is of course a test, only.To see if the drop is related to keepalives or some real connectivity issue keepalives are detecting. In normal scenario you would want to have isakmp keepalives enabled on both sides. Is there any chance any of the sides has idle timeout or anything of that sort configured? -------show run cryptoshow run tunnel-gshow run group-po--------taken on both sides would help. And after "lost service" is reported:--------show crypto isa sashow crypto ipsec sa--------also from both sides. We want to check the config and state of negotiation after tunnel drops. Marcin

Guest

Re:VPN Tunnel between two Cisco ASA5505 drops every 15-30 minutes

Post by Guest » Tue Feb 14, 2006 4:15 am

Far End:crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmaccrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto map outside_map 1 match address outside_1_cryptomapcrypto map outside_map 1 set pfscrypto map outside_map 1 set peer 2.2.2.2crypto map outside_map 1 set transform-set ESP-3DES-MD5crypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400tunnel-group 2.2.2.2 type ipsec-l2ltunnel-group 2.2.2.2 general-attributes default-group-policy toCorporateGrpPolicytunnel-group 2.2.2.2 ipsec-attributes pre-shared-key ***** isakmp keepalive disable group-policy toCorporateGrpPolicy internalgroup-policy toCorporateGrpPolicy attributes vpn-idle-timeout none vpn-session-timeout none vpn-tunnel-protocol IPSec sh crypto isa sa   Active SA: 1    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 11   IKE Peer: 2.2.2.2    Type    : user            Role    : responder    Rekey   : no              State   : MM_WAIT_MSG3 sho crypto ipsec saThere are no ipsec sas Near End:crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmaccrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto map outside_map 1 match address outside_1_cryptomapcrypto map outside_map 1 set pfscrypto map outside_map 1 set peer 1.1.1.1crypto map outside_map 1 set transform-set ESP-3DES-MD5crypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group 1.1.1.1 type ipsec-l2ltunnel-group 1.1.1.1 general-attributes default-group-policy toDRGrpPolicytunnel-group 1.1.1.1 ipsec-attributes pre-shared-key ***** isakmp keepalive disable group-policy toDRGrpPolicy internalgroup-policy toDRGrpPolicy attributes vpn-idle-timeout none vpn-session-timeout none vpn-tunnel-protocol IPSec sh crypto isa sa   Active SA: 1    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 11   IKE Peer: 1.1.1.1    Type    : user            Role    : initiator    Rekey   : no              State   : MM_WAIT_MSG2 sh crypto ipsec saThere are no ipsec sas

Post Reply