topic Re: IPSEC Site-to-Site Tunnel drops every 1hour in Network Security

IPSEC Site-to-Site Tunnel drops every 1hour

brianbono — Mon, 11 Mar 2019 11:19:04 GMT

hi guys,

need help on my ASA 5510 that establishes a site-to-site VPN tunnel to a Multitech Firewall.

The tunnel normally drops after an hour of connectivity and would reconnect automatically. The problem is I have a telnet application that connects to the other end of the tunnel that would end up also getting disconnected. If i do a consistent ping to a remote host on the other side of the VPN tunnel i would also get one "request timeout" when the tunnel drops.

below is my vpn config:

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

crypto map outside_ISP_map 1 match address outside_ISP_1_cryptomap

crypto map outside_ISP_map 1 set peer 207.224.XXX.XXX

crypto map outside_ISP_map 1 set transform-set ESP-3DES-MD5

crypto map outside_ISP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO

_MAP

crypto map outside_ISP_map interface outside_ISP

crypto isakmp identity address

crypto isakmp enable outside_ISP

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

attached also is a screenshot of the Real-Time Log Viewer.

Re: IPSEC Site-to-Site Tunnel drops every 1hour

brianbono — Tue, 02 Oct 2007 04:08:54 GMT

additional info:

asa001# sh isakmp sa detail

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 207.224.xxx.xxx

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : MD5

Auth : preshared Lifetime: 86400

Lifetime Remaining: 82985

asa001# sh isakmp stats

Global IKE Statistics

Active Tunnels: 1

Previous Tunnels: 668

In Octets: 919211

In Packets: 7753

In Drop Packets: 2241

In Notifys: 1342

In P2 Exchanges: 830

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 37

Out Octets: 764348

Out Packets: 6411

Out Drop Packets: 21

Out Notifys: 1584

Out P2 Exchanges: 452

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 1156

Initiator Tunnels: 351

Initiator Fails: 9

Responder Fails: 4

System Capacity Fails: 0

Auth Fails: 2

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

asa001#

Re: IPSEC Site-to-Site Tunnel drops every 1hour

russ — Tue, 02 Oct 2007 13:20:16 GMT

Seems like the remote peer has negotiated a phase 2 liftime of 1 hour (3600 seconds). The default for the ASA is 8 hours (28,800 seconds) and 1 hour (3600 secs for a Cisco router). Both peers will negotiate the lowest lifetime value.

You'll need to reconfigure the remote peer's phase 2 liftime to match the ASA value of 8 hours, or increase both peer lifetimes, if you wish the tunnel to stay up longer.

"sh crypto ipsec sa" will display the phase 2 remaining sa lifetime.

Re: IPSEC Site-to-Site Tunnel drops every 1hour

brianbono — Tue, 02 Oct 2007 13:27:46 GMT

the remote peer also has it set to 86400

Re: IPSEC Site-to-Site Tunnel drops every 1hour

russ — Tue, 02 Oct 2007 13:33:18 GMT

Are you referring to the phase 1 lifetime or phase 2 lifetime value?

Re: IPSEC Site-to-Site Tunnel drops every 1hour

brianbono — Tue, 02 Oct 2007 21:49:54 GMT

does my Global Timeouts set on the connection to 1hr had anything to do with the tunnel drops?

"timeout conn 1:00:00"

Re: IPSEC Site-to-Site Tunnel drops every 1hour

flopez — Wed, 03 Oct 2007 15:14:17 GMT

I had a similar issue but my tunnel between PIX to VPN would drop once a day. It was with the encryption being different. One was 3des and the other was not. The tunnel would work, but after 18 hours or so, the tunnel would drop. This happened very often.

Re: IPSEC Site-to-Site Tunnel drops every 1hour

tato386 — Wed, 03 Oct 2007 17:02:53 GMT

I am also having a similar experience between a PIX and an EdgeWater IAD router. Tunnel drops every day or two and takes 5-10 minutes to come back up. I don't have control over the EdgeWater device but would like to setup some kind of logging on my side to see if I can figure out what is going on. I tried "logging buffered debug" but that gives WAY too much info. Is there a way that I can have the output of "debug cry" type command go to a buffer to review it once a day or so?

Thanks,

Diego

Re: IPSEC Site-to-Site Tunnel drops every 1hour

brianbono — Wed, 03 Oct 2007 22:23:17 GMT

hi guys,

I was able to solve this problem yesterday. All I did was to go to the remote vpn tab instead of the site-to-site vpn tab of my ASA to configure the Maximum Connect value under the default group policy. The reason for the was my site-to-site inherited that policy that says the tunnel can only be for 1hr and must reconnect in order to keep the tunnel. I have changed the settings now to unlimited and finally my vpn is working fine.

cheers

Re: IPSEC Site-to-Site Tunnel drops every 1hour

elrasheed1 — Fri, 26 Jan 2018 19:32:38 GMT

Hi all,

I have the same problem which has been explained by brianbono but, the difference is that my default group policy max connect time is unlimited. Still facing the disconnection after 1 hour and automatic reconnect (single request time out). What could be causing this issue.

Re: IPSEC Site-to-Site Tunnel drops every 1hour

naveen98 — Sat, 26 Oct 2024 18:30:45 GMT

Hi brian,

Thank you for this. It also fixed my issue.