ASA 5505 Site to Site VPN Reconnection Problem

CharlesYummy · ‎08-01-2018

We are having a major problem with our central office ASA 5505 9.1.7 and a peer that is also an ASA 5505 9.1.7. We have several site-to-site VPNs setup, and only this one exhibits the following decryption symptoms:

The connection fails to decrypt traffic after a few hours. Then 8 hours later when the SA expires, it reconnects just fine. SECONDLY, if I log into the office ASA and clear the connections, all the connections come back within 60 seconds, EXCEPT the bad one.

After clicking "logout":

Result of the command: "show ipsec sa peer XXX"

peer address: XXX
Crypto map tag: IPSEC_MAP, seq num: 1, local addr: YYY

access-list outside_cryptomap_7 extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
current_peer: XXX

#pkts encaps: 441, #pkts encrypt: 441, #pkts digest: 441
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 441, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: YYY/0, remote crypto endpt.: XXX/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F7B3C753
current inbound spi : 165B0280

inbound esp sas:
spi: 0x165B0280 (375063168)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 135168, crypto-map: IPSEC_MAP
sa timing: remaining key lifetime (kB/sec): (3915000/28281)
IV size: 16 bytes
replay detection support: N
outbound esp sas:
spi: 0xF7B3C753 (4155754323)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 135168, crypto-map: IPSEC_MAP
sa timing: remaining key lifetime (kB/sec): (3914976/28281)
IV size: 16 bytes
replay detection support: N

and then 10 mins later:

Result of the command: "show ipsec sa peer XXX"

peer address: XXX
Crypto map tag: IPSEC_MAP, seq num: 1, local addr: YYY

access-list outside_cryptomap_7 extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
current_peer: XXX

#pkts encaps: 687, #pkts encrypt: 687, #pkts digest: 687
#pkts decaps: 66, #pkts decrypt: 66, #pkts verify: 66
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 687, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: YYY/0, remote crypto endpt.: XXX/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F7B3C753
current inbound spi : 165B0280

inbound esp sas:
spi: 0x165B0280 (375063168)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 135168, crypto-map: IPSEC_MAP
sa timing: remaining key lifetime (kB/sec): (3914994/28088)
IV size: 16 bytes
replay detection support: N
outbound esp sas:
spi: 0xF7B3C753 (4155754323)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 135168, crypto-map: IPSEC_MAP
sa timing: remaining key lifetime (kB/sec): (3914962/28088)
IV size: 16 bytes
replay detection support: N

nothing changes and nothing fails, it's like it decides to wait 10 mins. any ideas?