We have site to site VPN between our Headoffice and our branch site. This branch site is monitored using Solarwinds. We have Cisco ASA's on both the ends. This site to site VPN disconnects say every 4-5 days. The connection is restored by issuing clear ipsec sa peer on the HO firewall. Is there some command which can stop such disconnections. The Internet link between the two connection is stable as that too is monitored by Solarwinds. We have several other site to site VPN connections but this particular connection seems to have a problem.
Most important thing is to find out how or why the Tunnel is being torn down, your solarwinds should be able to detect that, otherwise, the logs from the ASA should tell you the reason.
You can work out with the isakmp keep alives (DPD) in order to check if the tunnel is up and running with the other peer,
configure dpd using the command isakmp keepalive command under the tunnel group for the desire tunnel.
Hope this helps.
ISAKMP keepalives is configured for the tunnel. Confidence interval is set to 10 seconds and retry to 2 seconds. Checked the logs on the firewall but couldnt find any information related to IPSEC. What else could I do?
Can you post IKE/IPsec cfg of both ends?
And also syslog message when tunnel goes down.
And please also software version.
The tunnel actually stays up, so no syslog message is generated. The connectivity is affected and the devices show down, but actually the devices are up at the other end. To fix this I have to clear ipsec sa peer. What exactly are you looking for in the IKE/IPsec configuration as all our other branches are working perfectly fine. The firewall at HO is version 7 and the one in the branch is 8.
All right, when no syslog msg is generated, because you can see tunnel up, so I believe some debugs could help you.
Can you see traffic being encrypted on one side and nothing coming in on the other side?
Btw, what is the exact version of branch? On other branches is the same version of software?
The branch is running 8.0(2). Other branches have different versions and different hardware as well. Thank you for your assistance. Will check the debug link.
I forgot to mention that I am able to ping all the devices in my branch from all the machines in HO. The problem is somehow related to solarwinds server which is located in HO and which is responsible for monitoring all the devices in branch. It is this server that is not able to poll the devices, all other machines however can ping and the issue is resolved after clearing out IPSEC session.
Hope this helps.
Sorry for delay.
Solarwinds server is in the same subnet, from which you are capable to ping devices in brach office?
Or is in another? If yes, are you able to ping from the same subnet to branch?
Let me brief you up on the proceedings. Few days ago we were experiencing disconnections for our entire HO subnet, meaning earlier I mentioned that only our Solarwinds server would fail to ping devices in our branch. Now all machines in our HO were not able to ping the branch subnet.
The HO firewall would show the tunnel up and active, however the branch firewall would not show any tunnel. No SA's no IPSEC SA nothing.
Upon further troubleshooting we observed considerable amount of CRC errors on our Internet router which the ISP fixed by changing the cables and multiplexer. Since then the site to site tunnel has not gone down. So I would assume that the tunnel would somehow disconnect because of these CRC errors. Something wierd is why wouldnt other tunnels go down. As I mentioned earlier we have several site to site tunnels, but only the tunnel where we had Cisco ASA at the other end would disconnect, other branches which were connected through Juniper, Sonicwall would stay up without any issue. The SA lifetime is common for all branches then why only the branches with Cisco ASA fail? Strange isnt it?
Let me know your view on this and thanks.
I was wondering, if Solarwinds server is located in some special subnet (like management), but if you say, that from same subnet you were able to ping devices on branch, so there is no need to look in HQ further.
So situation is (or was, if now is OK):
Tunnel on branch went down, but SA on HQ stood up.
I think, you're hitting some bug, because HQ fw should be able to clear SA after some time. Also, if error rate on the line is not really huge, IPsec should solve this problem.
And now is it OK (after solving CRC problem)?
It's really weird.
Yes it is really weird. The issue seems to have resolved after solving the CRC issue and they were quite a handful of CRC errors. Surprisingly other branches would not disconnect except the one with cisco asa. Quite possible that it could be a bug. Anyways the issue for now is gone. Thanks for your input.
Sent from my HTC
We are using cisco RV320 router,in that we have configured site to site VPN.
MY HO located at Dubai and branch office located at India.
Last one week we have facing the issue with VPN. It is frequently disconnected every day 3 to 4 times but internet is working fine and there is no packet loss, latency also good.
We need your support for to fix it. If you know the any solution to fixed this issue please let me immediately.
Thanks & Regards,