cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

617
Views
0
Helpful
1
Replies
Ramu Ch
Beginner

VPN traffic is getting dropped thru ASA 5520 Firewall

Hi Team,

Our Local Network is behind the CISCO ASA Firewall.Whenever we are accesiing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminatting.

The same traffic through PIX is no issue , only with ASA Firewall.

Pls see the following Error and request you give the possible root cause fo this.

2011-04-09 16:15:09    Local4.Info    172.16.1.68    %ASA-6-302016: Teardown UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653

Regards

Ramu

1 REPLY 1
Jennifer Halim
Cisco Employee

Please enable: inspect ipsec-pass-thru on your ASA global policy map.

Here is more information on the command:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1740887

However, it is only supported if you configure NAT, not on PAT.

It times out basically because UDP traffic in general has a very shortlived timeout. If it's been idle for 2 minutes (this is the default behaviour), then it clears down the session. In general, example of UDP, ie: DNS, SNMP, they are shortlive sessions and it doesn't require the session to be up for a long time.

Since you are using NAT-T to encapsulate the ESP packet to use UDP/4500, the same behaviour holds. Hence, you are seeing it gets timeout.

Depending on what device you are using to terminate the VPN and since you have NAT-T enabled, you can reduce the NAT-T keepalive to it sends keepalives more often within shorter period of time to ensure that there is continous traffic on the VPN, hence it doesn't timeout on the ASA.

Alternatively, if the VPN server supports encapsulation on TCP, that would be better as TCP is typically not short lived, and you can also change the default timeout on TCP session specific to just that VPN traffic.

Hope that helps.