Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3598
Views
0
Helpful
1
Replies

Cisco ASA Teardown TCP connection Tunnel has been torn down

Go to solution
fgasimzade
Level 4
Level 4

‎06-08-2016 07:07 AM - edited ‎03-12-2019 12:51 AM

Cisco ASA version 8.2(5) 

There is a VPN tunnel with a TCP connection inside it. We noticed that from time to time TCP connection break up.

This is what we found in ASA logs:

Group = X.X.X.X, IP = X.X.X.X, Connection terminated for peer X.X.X.X.  Reason: IPSec SA Idle Timeout  Remote Proxy 193.58.21.4, Local Proxy 172.18.234.209 --- NATTED TO 192.168.146.18

%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA2D13B6B) between Y.Y.Y.Y and X.X.X.X (user= X.X.X.X) has been deleted

%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x46C77A2B) between Y.Y.Y.Y and X.X.X.X (user= X.X.X.X) has been created.

%ASA-5-713049: Group = X.X.X.X, IP = X.X.X.X, Security negotiation complete for LAN-to-LAN Group (X.X.X.X)  Initiator, Inbound SPI = 0x208585eb, Outbound SPI = 0x46c77a2b

%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x208585EB) between Y.Y.Y.Y and X.X.X.X (user= X.X.X.X) has been created.

%ASA-5-713120: Group = X.X.X.X, IP = X.X.X.X, PHASE 2 COMPLETED (msgid=05b30a90)

%ASA-6-302014: Teardown TCP connection 727713 for outside:193.58.21.3/6204 to inside:192.168.146.18/60700 duration 0:50:41 bytes 306776210 Tunnel has been torn down
%ASA-6-106015: Deny TCP (no connection) from 193.58.21.3/6204 to 172.18.234.209/41660 flags ACK  on interface outside
%ASA-6-106015: Deny TCP (no connection) from 193.58.21.3/6204 to 172.18.234.209/41660 flags ACK  on interface outside
%ASA-6-106015: Deny TCP (no connection) from 193.58.21.3/6204 to 172.18.234.209/41660 flags ACK  on interface outside
%ASA-6-106015: Deny TCP (no connection) from 193.58.21.3/6204 to 172.18.234.209/41660 flags PSH ACK  on interface outside
%ASA-6-106015: Deny TCP (no connection) from 193.58.21.3/6204 to 172.18.234.209/41660 flags ACK  on interface outside
%ASA-6-106015: Deny TCP (no connection) from 193.58.21.3/6204 to 172.18.234.209/41660 flags ACK  on interface outside
%ASA-6-106015: Deny TCP (no connection) from 193.58.21.3/6204 to 172.18.234.209/41660 flags ACK  on interface outside
%ASA-6-106015: Deny TCP (no connection) from 193.58.21.3/6204 to 172.18.234.209/41660 flags ACK  on interface outside
%ASA-6-106015: Deny TCP (no connection) from 193.58.21.3/6204 to 172.18.234.209/41660 flags ACK  on interface outside
%ASA-6-106015: Deny TCP (no connection) from 193.58.21.3/6204 to 172.18.234.209/41660 flags ACK  on interface outside
%ASA-6-106015: Deny TCP (no connection) from 193.58.21.3/6204 to 172.18.234.209/41660 flags ACK  on interface outside

Looks like during tunnel rekey all TCP connections are blocked

Is there any workaround?

Thank you

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-08-2016 09:17 AM

Hi,

May i know what traffic is using these ports ?

Also do you ever see SYN packet reaching the ASA ?

Does it always happen during rekey ?

Can you try using the following command and test :

sysopt connection preserve-vpn-flows

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-08-2016 09:17 AM

Hi,

May i know what traffic is using these ports ?

Also do you ever see SYN packet reaching the ASA ?

Does it always happen during rekey ?

Can you try using the following command and test :

sysopt connection preserve-vpn-flows

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card