Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
29004
Views
1
Helpful
10
Replies

IPSEC Site-to-Site Tunnel drops every 1hour

brianbono
Level 1
Level 1

‎10-01-2007 07:29 PM - edited ‎03-11-2019 04:19 AM

hi guys,

need help on my ASA 5510 that establishes a site-to-site VPN tunnel to a Multitech Firewall.

The tunnel normally drops after an hour of connectivity and would reconnect automatically. The problem is I have a telnet application that connects to the other end of the tunnel that would end up also getting disconnected. If i do a consistent ping to a remote host on the other side of the VPN tunnel i would also get one "request timeout" when the tunnel drops.

below is my vpn config:

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

crypto map outside_ISP_map 1 match address outside_ISP_1_cryptomap

crypto map outside_ISP_map 1 set peer 207.224.XXX.XXX

crypto map outside_ISP_map 1 set transform-set ESP-3DES-MD5

crypto map outside_ISP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO

_MAP

crypto map outside_ISP_map interface outside_ISP

crypto isakmp identity address

crypto isakmp enable outside_ISP

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

attached also is a screenshot of the Real-Time Log Viewer.

Labels:
Preview file
30 KB
0 Helpful
10 Replies 10

brianbono
Level 1
Level 1

‎10-01-2007 09:08 PM

additional info:

asa001# sh isakmp sa detail

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 207.224.xxx.xxx

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : MD5

Auth : preshared Lifetime: 86400

Lifetime Remaining: 82985

asa001# sh isakmp stats

Global IKE Statistics

Active Tunnels: 1

Previous Tunnels: 668

In Octets: 919211

In Packets: 7753

In Drop Packets: 2241

In Notifys: 1342

In P2 Exchanges: 830

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 37

Out Octets: 764348

Out Packets: 6411

Out Drop Packets: 21

Out Notifys: 1584

Out P2 Exchanges: 452

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 1156

Initiator Tunnels: 351

Initiator Fails: 9

Responder Fails: 4

System Capacity Fails: 0

Auth Fails: 2

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

asa001#

0 Helpful

russ
Level 1
Level 1

‎10-02-2007 06:20 AM

Seems like the remote peer has negotiated a phase 2 liftime of 1 hour (3600 seconds). The default for the ASA is 8 hours (28,800 seconds) and 1 hour (3600 secs for a Cisco router). Both peers will negotiate the lowest lifetime value.

You'll need to reconfigure the remote peer's phase 2 liftime to match the ASA value of 8 hours, or increase both peer lifetimes, if you wish the tunnel to stay up longer.

"sh crypto ipsec sa" will display the phase 2 remaining sa lifetime.

0 Helpful

brianbono
Level 1
Level 1
In response to russ

‎10-02-2007 06:27 AM

the remote peer also has it set to 86400

0 Helpful

russ
Level 1
Level 1
In response to brianbono

‎10-02-2007 06:33 AM

Are you referring to the phase 1 lifetime or phase 2 lifetime value?

0 Helpful

brianbono
Level 1
Level 1

‎10-02-2007 02:49 PM

does my Global Timeouts set on the connection to 1hr had anything to do with the tunnel drops?

"timeout conn 1:00:00"

0 Helpful

flopez
Level 1
Level 1

‎10-03-2007 08:14 AM

I had a similar issue but my tunnel between PIX to VPN would drop once a day. It was with the encryption being different. One was 3des and the other was not. The tunnel would work, but after 18 hours or so, the tunnel would drop. This happened very often.

0 Helpful

tato386
Level 6
Level 6
In response to flopez

‎10-03-2007 10:02 AM

I am also having a similar experience between a PIX and an EdgeWater IAD router. Tunnel drops every day or two and takes 5-10 minutes to come back up. I don't have control over the EdgeWater device but would like to setup some kind of logging on my side to see if I can figure out what is going on. I tried "logging buffered debug" but that gives WAY too much info. Is there a way that I can have the output of "debug cry" type command go to a buffer to review it once a day or so?

Thanks,

Diego

0 Helpful

brianbono
Level 1
Level 1
In response to tato386

‎10-03-2007 03:23 PM

hi guys,

I was able to solve this problem yesterday. All I did was to go to the remote vpn tab instead of the site-to-site vpn tab of my ASA to configure the Maximum Connect value under the default group policy. The reason for the was my site-to-site inherited that policy that says the tunnel can only be for 1hr and must reconnect in order to keep the tunnel. I have changed the settings now to unlimited and finally my vpn is working fine.

cheers

elrasheed1
Level 1
Level 1
In response to brianbono

‎01-26-2018 11:32 AM

Hi  all,

I have the same problem which has been explained by brianbono but, the difference is that my default group policy max connect time is unlimited. Still facing the disconnection after 1 hour and automatic reconnect (single request time out). What could be causing this issue.

0 Helpful

naveen98
Level 1
Level 1
In response to brianbono

‎10-26-2024 11:30 AM

Hi brian,

Thank you for this. It also fixed my issue. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card