Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
4
Replies

Random loss of VPN Connectivity

robertovd
Level 1
Level 1

‎08-22-2010 12:47 PM

Good morning,

I've configured a VPN between 2 offices using two ASA 5505 v. 7.2(4) via IPSec

The problem is that randomly the VPN connection drops. It can be working fine for hours and then fail, while the rest it is working fine (internet)

The solution comes by reloading the system which will always work and the connection is back again.


The IkE is using 3Des encription, pre-share authentication and 86400secs lifetime.

I don't really know what to check, or how to monitor it. I have been using the ASDM monitoring tools to check the Ipsec/IKE connections, but obviously cannot determine what is causing the problem or how to start troubleshooting it.


At this point, I am using a ping that continously pings a remote computer, and when it fails, I receive a mail.

Thank you for your help!


Regards,

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎08-22-2010 02:41 PM

Robert

There are several things that might produce the symptoms of random loss of VPN connectivity. When I hear some talk about loss of VPN connectivity, one of the first things that I think about is that Security Associations (might be ISAKMP or might be IPSEC) have expired (this is a normal event) and not have been re-negotiated (this would be the not normal part of the problem). Can you check and verify whether the continuous ping traffic is part of what is permitted in the ACL that defines interesting traffic for the VPN? If the ping is interesting traffic then that should take care of re-negotiating the SAs and the problem is something else.

When the problem happens and before you reload can you check on a few things:

- can you verify that there is IP connectivity between the ASAs? Can you ping from one ASA to the peer address of the other ASA?

- can you check the logs of the ASA for any event happening recently that might impact the VPN?

HTH

Rick

HTH

Rick
0 Helpful

Yudong Wu
Level 7
Level 7
In response to Richard Burts

‎08-22-2010 08:53 PM

Hi Robert,

In addition to Richard's suggestion,

1. Make sure both sides can initiate the traffic to bring up the VPN tunnel.

2. If there is no IP connectivity problem when the issue happens, you might capture the following two show commands

show cry isa sa

show cry ipsec sa

3. The following two debugs is very helpful.

- debug cry isa

- debug cry ipsec

You can leave the above two debugs on and redirect the output to a syslog server like following.

- logging debug-trace
- logging message 711001 level 0
Then log at least at level 0 or higher to the syslog server

logging trap 0

logging host interface_name syslog_ip

The debug output should provide more info to find out what happens.

HTH

0 Helpful

robertovd
Level 1
Level 1
In response to Yudong Wu

‎08-23-2010 12:44 AM

Thanks a lot for all the recomendations.

It is working fine at the moment, will wait till crash to do the test.


Regards

Robert.

0 Helpful

robertovd
Level 1
Level 1
In response to robertovd

‎09-03-2010 02:27 AM

Good morning!


Sorry for the delay, I have been doing more tests, and seems that the problem was being caused by my static NAT rule. I deleted it and worked fine for 1 week. Now if I try to add the Static NAT rule get this message:

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

So I need to figure out how to manage my other VPN to work


Thank you guys for your help


Regards,


Robert

0 Helpful
Customers Also Viewed These Support Documents