Solved: Re: Tunnel is Active but host stop pinging randomly.

Amardeep Kumar · ‎05-30-2019

I have P2P tunnel between Cisco asa. it is working perfectly for years but some time host stop pinging randomly.

clear crypto isakmp sa

Please suggest.

Thanks

Amardeep

Georg Pauwen · ‎05-30-2019

Hello,

hard to tell without seeing the configs. Do you have isakmp keepalives configured, e.g.:

ASA(config)# tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
ASA(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10

View solution in original post

Georg Pauwen · ‎05-30-2019

Hello,

hard to tell without seeing the configs. Do you have isakmp keepalives configured, e.g.:

ASA(config)# tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
ASA(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10

Amardeep Kumar · ‎05-30-2019

Yes , I have this setting. Just decrease timing from 30 to 15.

Other Suggestion please

Thanks

Amardeep

Oussama SLIMANE · ‎05-30-2019

Can you share the result of the command show crypto ipsec sa?

Amardeep Kumar · ‎05-30-2019

Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x

access-list outside_cryptomap_4 extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.252.0
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.12.0/255.255.252.0/0/0)
current_peer: y.y.y.y

#pkts encaps: 88124543, #pkts encrypt: 88123686, #pkts digest: 88123686
#pkts decaps: 2117527, #pkts decrypt: 2117507, #pkts verify: 2117507
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 88124543, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 857, #fragments created: 0
#PMTUs sent: 857, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 23

local crypto endpt.: x.x.x.x/0, remote crypto endpt.: y.y.y.y/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 567DA260
current inbound spi : CF564B6F

inbound esp sas:
spi: 0xCF564B6F (3478539119)
SA State: active
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 134795264, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3642054/25510)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x567DA260 (1451074144)
SA State: active

transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 134795264, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3642054/25510)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x567DA260 (1451074144)
SA State: active
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 134795264, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1047800/25484)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Again - it is Active but some time stops itself.

thanks

amardeep

Oussama SLIMANE · ‎05-30-2019

Hi again,

You have packet mtu fragmentation problem

#pre-frag failures: 857
#PMTUs sent: 857
DF policy: copy-df

Try this command "crypto ipsec df-bit clear-df", in the link below you can find detailed explanation
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/15-mt/sec-ipsec-data-plane-15-mt-book/sec-df-bit-ovride.html