cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3432
Views
0
Helpful
10
Replies

ASA VPN Dead Peer Detection problem

ANGELO DE MASI
Level 1
Level 1


Hello, I am experencing some problem with ASA to ASA site-to-site vpn connection. VPN lan to lan is up and working well, but when one of the vpn peers goes down the ASA doesn't recognize the dead peer and doesn't put down the vpn connection and the corresondind SA, and consequently ASA doesn't remove the injected remote lan route from its routing table.

Please, I should need an advice to how put down vpn when at least one peer is dead.

Thank you in advance.

Regards

angelo

10 Replies 10

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Angelo,

Do you have isakmp keepalives enabled on both side?

Please also note that IOS and ASA default behavior for RRI is different ;-)

I.e. default on IOS is to inject the route only if tunnel is up (IPsec SAs up).

Marcin

Hi Marcin, thanks for your reply.

Yes I have enabled isakamp keepalive on both ASA and they are setted with same parameters (isakamp keepalive 10 2).

Moreover, in the crypto mat on ASA is enabled RRI, so when vpn is up remore lan routes are injectd in ASA routin table, but I expect that they should be put off when vpn go down. but the mostly problem is that ASA doesn't put vpn down also if remote peer is dead.

Do you have any idea?

Angelo,

debug crypto isakmp 

it will telly you whether the DPDs are in fact being exachanged, I suspect they might not ;-)

Can you share with me:

- sho ver

- show run tunnel-group

- sh run crypto

- show vpn-sessiondb detail l2l

Make sure you obfuscate all the sensitive info (IP addresses/keys/passowords).

M.

I 'm looking at debug crypto and it seems that actually ASA doesn't send and receive DPD packet, it happends on both ASA. If it can help, first ASA regularly send and receive DPD packet with another vpn peer instead.

What does it depend on? Do you have any idea?

Angelo,

DPD type/version is something we negotiate in phase 1.

I think most implmentations send DPDs only if no traffic is received back (not that IOS has "periodic" setting which overrides it).

Marcin

Hi Marcin,

I did some tests last days, the situation now is that both ASA actually echanges DPD packets and when one peer goes down also vpn does, but the problem now is that when ASA put down vpn it doesn't also put off from routing table the remote vpn routes injected by RRI. It's imporatant for me to have those routes down for vpn-failove, cuase they are announced on internal eigrp istance.

Do you know if there is some way to make ASA put off RRI routes?

thank you very much in advance.

Regards angelo

Angelo,

I'm afraid that I don't have good news on RRI.

There's an enhancement request open forever to have same functionality on ASA and IOS:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx67450

Marcin

Thank you Marcin, I already supposed that, I heard some rumors about that issue.

I am thinking to try solving my problem with OSPF unicast over IPsec VPN tunnel between both ASA. Do you know if it works well?

Angelo,

Yes it works fair, in my experience doesn't really work well for more advanced scenarios but we got it workig between two and more ASAs.

Marcin

Ok Marcin,

I will try with it.

thanks a lot.

bye

angelo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: