topic Re: Cisco ASA5506 often stops vpn connection in the morning in Network Security https://community.cisco.com/t5/network-security/cisco-asa5506-often-stops-vpn-connection-in-the-morning/m-p/3326452#M972340 one correction: the hub site ASA model is Cisco ASA5516x. Wed, 07 Feb 2018 07:10:17 GMT jude 2018-02-07T07:10:17Z Cisco ASA5506 often stops vpn connection in the morning https://community.cisco.com/t5/network-security/cisco-asa5506-often-stops-vpn-connection-in-the-morning/m-p/3326387#M972339 <P>I need some specialists to help with this:</P> <P>&nbsp;</P> <P>We have 2&nbsp; ASA5506 with same configuration in two spoke sites, IPSEC-vpn-connected to&nbsp; ASA5515 in the hub site (same hub-spoke vpn). Internet and cross-site traffic works very well, but after some hours one spoke site stops sending traffic out from the ASA5506 (the other one never had problem).</P> <P>&nbsp;</P> <P>ASDM connection from internet works fine as I'm managing the problem ASA5506 remotely. What I have found:</P> <P>- 21 incidents out of 60 occurred in the morning round 8:00 AM, when nobody works in the spoke site, but many users start to work in the hub site. Other events occurred in the working hours mostly.</P> <P>- IPSEC SA&nbsp;is still active when it stops sending traffic out. SA sent packets still increases, but received packets won't increase.</P> <P>- There is 50%-70% packet loss pinging the spoke site's isp router IP from ASA5506 (same network segment) during incident time, but no packet loss to ping ASA5506 outside IP from internet.</P> <P>- The problem can be resoled by reloading either the spoke ASA5506, or the hub ASA5515.</P> <P>&nbsp;</P> <P>IPSEC lifetime is disabled. 'Show asp drop' displays packet drop increase for 'l2_acl', 'acl_drop' and 'sp_security_failed' when traffic stops, but they are quite similar as that when no problem.</P> <P>&nbsp;</P> <P>ISP presented bandwidth utilization graph, there were some peak times reaching bandwidth limit, but the peak times don't match the times when connection stopped in general.</P> <P>&nbsp;</P> <P>I assume&nbsp;it's a vpn issue as I can still remotely manage the ASA during the problem time. It might also be related to user traffic as 1/3 incidents occurred between 8:00-8:05, but don't know how to figure out why the packets are not sent.&nbsp;</P> <P>&nbsp;</P> <P>I'm posting my configuration file below but the IP addresses are not real for safety consideration:</P> <P>&nbsp;</P> <P>: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)<BR />:<BR />ASA Version 9.5(2) <BR />!<BR />hostname ASA5506<BR />domain-name mycompany.net<BR />enable password ****** encrypted<BR />xlate per-session deny tcp any4 any4<BR />xlate per-session deny tcp any4 any6<BR />xlate per-session deny tcp any6 any4<BR />xlate per-session deny tcp any6 any6<BR />xlate per-session deny udp any4 any4 eq domain<BR />xlate per-session deny udp any4 any6 eq domain<BR />xlate per-session deny udp any6 any4 eq domain<BR />xlate per-session deny udp any6 any6 eq domain<BR />passwd ****** encrypted<BR />names<BR />!<BR />interface GigabitEthernet1/1<BR /> nameif outside<BR /> security-level 0<BR /> ip address 151.218.145.237 255.255.255.252 <BR />!<BR />interface GigabitEthernet1/2<BR /> nameif inside<BR /> security-level 100<BR /> ip address 10.201.0.1 255.255.255.0 <BR />!<BR />interface GigabitEthernet1/3<BR /> shutdown<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface GigabitEthernet1/4<BR /> shutdown<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface GigabitEthernet1/5<BR /> shutdown<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface GigabitEthernet1/6<BR /> shutdown<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface GigabitEthernet1/7<BR /> shutdown<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface GigabitEthernet1/8<BR /> shutdown<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface Management1/1<BR /> management-only<BR /> nameif management<BR /> security-level 0<BR /> ip address 192.168.1.1 255.255.255.0 <BR />!<BR />ftp mode passive<BR />clock timezone CEST 1<BR />clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00<BR />dns server-group DefaultDNS<BR /> domain-name mycompany.net<BR />object network CSM<BR /> host 171.66.30.203<BR /> description 171.66.30.203<BR />object network Net_10.0.0.0-8_RFC1918<BR /> subnet 10.0.0.0 255.0.0.0<BR />object network Net_172.16.0.0-12_RFC1918<BR /> subnet 172.16.0.0 255.240.0.0<BR />object network Net_192.168.0.0-16_RFC1918<BR /> subnet 192.168.0.0 255.255.0.0<BR />object network test_1.1.1.1<BR /> host 1.1.1.1<BR />object network OutsideIP<BR /> host 151.218.145.237<BR />object network CSM_VPN_NAT_0_OBJ_NET_1<BR /> subnet 10.201.0.0 255.255.254.0<BR />object network CSM_VPN_NAT_0_OBJ_NET_2<BR /> subnet 0.0.0.0 0.0.0.0<BR />object network CSM_VPN_NAT_0_OBJ_NET_3<BR /> subnet 10.201.0.0 255.255.255.0<BR />object-group network RFC1918<BR /> description All pricate addresses<BR /> network-object 10.0.0.0 255.0.0.0<BR /> network-object 172.16.0.0 255.240.0.0<BR /> network-object 192.168.0.0 255.255.0.0<BR />object-group network GRP_RFC1918<BR /> network-object object Net_172.16.0.0-12_RFC1918<BR /> network-object object Net_192.168.0.0-16_RFC1918<BR /> network-object object Net_10.0.0.0-8_RFC1918<BR />object-group network Allowed_WAN_Hosts<BR /> description Internet hosts allowed all IP traffic<BR /> network-object object test_1.1.1.1<BR />object-group service NTP<BR /> description NTP Protocols<BR /> service-object tcp destination eq 123 <BR /> service-object udp destination eq ntp <BR />object-group service Synology<BR /> service-object tcp destination range 5000 5001 <BR />object-group service Apple<BR /> service-object tcp destination eq 16384 <BR /> service-object tcp destination eq 16385 <BR /> service-object tcp destination eq 16386 <BR />object-group service Internet_Access<BR /> service-object icmp <BR /> service-object tcp destination eq www <BR /> service-object tcp destination eq https <BR /> service-object tcp destination eq ftp <BR /> service-object tcp destination eq ftp-data <BR /> service-object tcp destination eq nntp <BR /> service-object udp destination eq domain <BR /> service-object tcp destination eq domain <BR /> service-object tcp destination eq pop3 <BR /> service-object tcp destination eq imap4 <BR /> service-object tcp destination eq ssh <BR /> service-object tcp destination eq 8080 <BR /> service-object tcp destination eq 8000 <BR /> service-object tcp destination eq 5938 <BR /> service-object tcp destination eq 4443 <BR /> service-object tcp destination eq 10020 <BR /> group-object NTP<BR /> group-object Synology<BR /> group-object Apple<BR />access-list CSM_FW_ACL_inside extended permit ip object Net_10.0.0.0-8_RFC1918 object-group GRP_RFC1918 <BR />access-list CSM_FW_ACL_inside extended permit ip object Net_172.16.0.0-12_RFC1918 object-group GRP_RFC1918 <BR />access-list CSM_FW_ACL_inside extended permit object-group Internet_Access object Net_10.0.0.0-8_RFC1918 any <BR />access-list CSM_FW_ACL_inside extended permit object-group Internet_Access object Net_172.16.0.0-12_RFC1918 any <BR />access-list CSM_FW_ACL_inside remark Bypass WAN IP with special ports<BR />access-list CSM_FW_ACL_inside extended permit ip object Net_10.0.0.0-8_RFC1918 object-group Allowed_WAN_Hosts <BR />access-list CSM_FW_ACL_inside extended permit ip object Net_172.16.0.0-12_RFC1918 object-group Allowed_WAN_Hosts <BR />access-list CSM_FW_ACL_inside extended deny ip any any <BR />access-list CSM_FW_ACL_outside extended permit ip object-group GRP_RFC1918 object Net_10.0.0.0-8_RFC1918 <BR />access-list CSM_FW_ACL_outside extended permit ip object-group GRP_RFC1918 object Net_172.16.0.0-12_RFC1918 <BR />access-list CSM_FW_ACL_outside extended permit ip object CSM object OutsideIP <BR />access-list CSM_FW_ACL_outside extended deny ip any any <BR />access-list CSM_IPSEC_ACL_2 extended permit ip 10.201.0.0 255.255.255.0 any4 <BR />pager lines 24<BR />logging enable<BR />no logging hide username<BR />logging standby<BR />logging asdm debugging<BR />logging debug-trace<BR />mtu outside 1500<BR />mtu inside 1500<BR />mtu management 1500<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />nat (inside,outside) source static CSM_VPN_NAT_0_OBJ_NET_3 CSM_VPN_NAT_0_OBJ_NET_3 destination static CSM_VPN_NAT_0_OBJ_NET_2 CSM_VPN_NAT_0_OBJ_NET_2 no-proxy-arp route-lookup<BR />nat (management,outside) source static CSM_VPN_NAT_0_OBJ_NET_3 CSM_VPN_NAT_0_OBJ_NET_3 destination static CSM_VPN_NAT_0_OBJ_NET_2 CSM_VPN_NAT_0_OBJ_NET_2 no-proxy-arp route-lookup<BR />nat (inside,outside) source dynamic RFC1918 interface destination static CSM CSM<BR />access-group CSM_FW_ACL_outside in interface outside<BR />access-group CSM_FW_ACL_inside in interface inside<BR />route outside 0.0.0.0 0.0.0.0 151.218.145.238 1<BR />route outside 171.66.30.203 255.255.255.255 151.218.145.238 1<BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />user-identity default-domain LOCAL<BR />http server enable 4443<BR />http 151.43.54.243 255.255.255.255 outside<BR />http 88.45.123.123 255.255.255.255 outside<BR />http 0.0.0.0 0.0.0.0 inside<BR />snmp-server host inside 10.161.20.112 community *****<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server community *****<BR />service sw-reset-button<BR />crypto ipsec ikev1 transform-set CSM_TS_1 esp-aes-256 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set CSM_TS_2 esp-aes-256 esp-sha-hmac <BR />crypto ipsec security-association pmtu-aging infinite<BR />crypto map CSM_outside_map 1 match address CSM_IPSEC_ACL_2<BR />crypto map CSM_outside_map 1 set pfs group5<BR />crypto map CSM_outside_map 1 set peer 213.102.216.16 <BR />crypto map CSM_outside_map 1 set ikev1 transform-set CSM_TS_1 CSM_TS_2<BR />crypto map CSM_outside_map 1 set security-association lifetime seconds 3600<BR />crypto map CSM_outside_map 1 set reverse-route<BR />crypto map CSM_outside_map interface outside<BR />crypto ca trustpool policy<BR />crypto isakmp identity address <BR />crypto ikev1 enable outside<BR />crypto ikev1 policy 1<BR /> authentication pre-share<BR /> encryption aes-256<BR /> hash sha<BR /> group 5<BR /> lifetime 86400<BR />telnet timeout 1<BR />ssh stricthostkeycheck<BR />ssh 151.43.54.243 255.255.255.255 outside<BR />ssh 88.45.123.123 255.255.255.255 outside<BR />ssh 10.0.0.0 255.0.0.0 inside<BR />ssh 172.16.0.0 255.240.0.0 inside<BR />ssh 192.168.0.0 255.255.0.0 inside<BR />ssh timeout 60<BR />ssh version 2<BR />ssh key-exchange group dh-group1-sha1<BR />console timeout 60<BR />management-access inside</P> <P>threat-detection basic-threat<BR />threat-detection statistics host<BR />threat-detection statistics port<BR />threat-detection statistics protocol<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />ntp server 97.165.172.58 source outside<BR />dynamic-access-policy-record DfltAccessPolicy<BR />username myadmin password ****** encrypted privilege 15<BR />username mygroup password ****** encrypted privilege 15<BR />username nysfg password ****** encrypted privilege 15<BR />tunnel-group 213.102.216.16 type ipsec-l2l<BR />tunnel-group 213.102.216.16 ipsec-attributes<BR /> ikev1 pre-shared-key *****<BR />!<BR />class-map inspection_default<BR /> match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR /> parameters<BR /> message-length maximum client auto<BR /> message-length maximum 512<BR />policy-map global_policy<BR /> class inspection_default<BR /> inspect dns preset_dns_map <BR /> inspect ftp <BR /> inspect h323 h225 <BR /> inspect h323 ras <BR /> inspect rsh <BR /> inspect rtsp <BR /> inspect sqlnet <BR /> inspect skinny <BR /> inspect sunrpc <BR /> inspect xdmcp <BR /> inspect sip <BR /> inspect netbios <BR /> inspect tftp <BR /> inspect ip-options <BR /> inspect icmp <BR /> class class-default<BR /> user-statistics accounting<BR />!<BR />service-policy global_policy global<BR />prompt hostname context <BR />no call-home reporting anonymous<BR />call-home<BR /> profile CiscoTAC-1<BR /> no active<BR /> destination address http <A href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank">https://tools.cisco.com/its/service/oddce/services/DDCEService</A><BR /> destination address email callhome@cisco.com<BR /> destination transport-method http<BR /> subscribe-to-alert-group diagnostic<BR /> subscribe-to-alert-group environment<BR /> subscribe-to-alert-group inventory periodic monthly<BR /> subscribe-to-alert-group configuration periodic monthly<BR /> subscribe-to-alert-group telemetry periodic daily</P> Fri, 21 Feb 2020 15:18:07 GMT https://community.cisco.com/t5/network-security/cisco-asa5506-often-stops-vpn-connection-in-the-morning/m-p/3326387#M972339 jude 2020-02-21T15:18:07Z Re: Cisco ASA5506 often stops vpn connection in the morning https://community.cisco.com/t5/network-security/cisco-asa5506-often-stops-vpn-connection-in-the-morning/m-p/3326452#M972340 one correction: the hub site ASA model is Cisco ASA5516x. Wed, 07 Feb 2018 07:10:17 GMT https://community.cisco.com/t5/network-security/cisco-asa5506-often-stops-vpn-connection-in-the-morning/m-p/3326452#M972340 jude 2018-02-07T07:10:17Z