topic I have done this and i am in Network Security

ASA VPN to AWS and IPSLA to keep tunnel alive

james.brunner — Tue, 12 Mar 2019 06:54:37 GMT

Hi all,

I've got an ASA5555-X running 9.2(3)4 that's got two tunnels to our AWS VPC. That all works perfectly and the internal LANs have access to and from the VPC EC2 instances. All good.

However, during the evening when the traffic goes quiet the tunnel drops and as per AWS' documents I've been trying to get IPSLA working to keep the tunnel up.

I have a local route on the ASA pointing the VPC CIDR via the outside interface's default gateway and from the ASA if I "ping inside <VPC_target_IP>" it replies ok.

So I've tried to get the SLA running with:

sla monitor 1
type echo protocol ipIcmpEcho <AWS_VPC_Target_IP> interface inside
frequency 5

But this doesn't work...

Entry number: 1
Modification time: 21:08:53.035 GMT/BST Tue Nov 17 2015
Number of Octets Used by this Entry: 2056
Number of operations attempted: 5664
Number of operations skipped: 5663
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 12:52:33.035 GMT/BST Wed Nov 18 2015
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0

Changing the interface to 'outside' also doesn't work - same result.

If I run the monitor from my outside interface to the VPN peer addresses in AWS then it works fine but this is routing outside of the tunnel so the tunnel doesn't stay up - the crypto counters don't change.

I'm at a loss - I can source a ping on my inside interface to the VPC target and that works, so why won't IPSLA from the inside interface also work?

Thanks in advance for any pointers.

JB.

The SLA from the ASA doesn't

Marius Gunnerud — Tue, 08 Mar 2016 20:16:04 GMT

Try the following:

group-policy VPN_GrpPolicy attributes

vpn-idle-timeout none

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 general-attributes

default-group-policy VPN_GrpPolicy

Please remember to select a correct answer and rate helpful posts

Did you ever figure this out?

the-lebowski — Tue, 08 Mar 2016 20:36:01 GMT

I got this working.

You have to do two things in AWS as well to make it work. Add a route the outside IP of your ASA under VPN connection (xx.xx.xx.xx/32) and add an inbound rule in the appropriate security group to allow ICMP from the same source IP of your outside ASA IP.

Once you do that the ip sla will start working.

Hi

Carsten Madsen — Thu, 10 Mar 2016 09:27:03 GMT

I have had extensive correspondence with AWS support on this issue - the following is the conclusion of those talks. If you are having the problem, and you are sure that all configuration is set up correctly, then you have likely created your tunnel and/or VGW after 28/10 2015. Amazon rolled out a new set of features at this date, and following that, IP SLA from an ASA no longer works (confirmed by AWS support). For setups created before 28/10 2015, IP SLA from an ASA will work without any issues. This is likely why dpatten78 is reporting that his setup is working. Amazon have offered to manually apply a fix on the setups I manage, that should sort out the problem, and also tells me that they are working on applying this fix globally, meaning that IP SLA would work again on all setups.

I have spend a considerable amount of time getting to the above conclusion, so I thought I would share it, to save everyone facing the issue some time.

\Christian

Hi Carsten,

salman abid — Sun, 07 Aug 2016 18:04:31 GMT

Hi Carsten,

''Amazon have offered to manually apply a fix on the setups I manage, ''

Could you please let us know what manual fix Amazon has offered. I have configured 2 VPNs with AWS about 2 months before and even though after having the SLA configured still facing intermittent disconnection.

I have done this and i am

shankm001 — Mon, 28 Nov 2016 03:40:41 GMT

I have done this and i am still unable to ping an instance IP from the ASA.

I can ping the same instance from a server within the allowed range of IP's in our data center though.

Any ideas?

EDIT:

Adding the last persons comments actually stopped connectivity from the datacenter to aws and vice versa.

Without those lines of config, i can ping from the instance to the ASA outside interface and Datacenter DC.

I can also ping from the DC in the datacenter to the instance ip, just not from the ASA, so SLA monitor isn't working!