Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5511
Views
0
Helpful
6
Replies

ASA Site to Site VPN tunnel and AS/400 Sessions Dropping

ewieder
Level 1
Level 1

‎01-09-2013 01:08 PM

I currently have a site that I am connecting via a site to site VPN tunnel using site-a (5510) and site-b (5505) ASA's.  I have changed the Idle timeout on the VPN group policy to Unlimited and created a service policy for the telnet traffic to set the connection timeout to 10hours.

We are still experiencing a connection drop with our end users client and printers.

Our AS/400 is sending Keep-Alive packets to the clients every 10 minutes (based on a packet capture) and I have had a session going for over an hour without a drop.  I am going to keep the packet capture going all night to see if I can replicate the issue.

Does anyone have any other ideas or areas I should look at?

Thanks

Eddie

Labels:
0 Helpful
6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

‎01-09-2013 01:13 PM

Hi,

Can you post L2L VPN configurations?

How often are connections dropping normally?

- Jouni

0 Helpful

ewieder
Level 1
Level 1
In response to Jouni Forss

‎01-09-2013 01:39 PM

Thanks for the quick reply.  Here are the configs:

It has been kind of random on the drops today, but it is still happening.

Site-A (5510) VPN config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 4 match address outside_cryptomap_5

crypto map outside_map 4 set pfs group5

crypto map outside_map 4 set peer SITE-B-IP

crypto map outside_map 4 set ikev1 transform-set ESP-AES-256-SHA

crypto ikev1 policy 2

authentication pre-share

encryption aes-256

hash sha    

group 5     

lifetime 86400

group-policy GroupPolicy_SITE-B-IP internal

group-policy GroupPolicy_SITE-B-IP attributes

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol ikev1

tunnel-group SITE-B-IP type ipsec-l2l

tunnel-group SITE-B-IP general-attributes

default-group-policy GroupPolicy_SITE-B-IP

tunnel-group SITE-B-IP ipsec-attributes

ikev1 pre-shared-key *****

class-map AS400-Telnet-FTP

match access-list outside_mpc_2

policy-map AS400-Telnet-FTP

description Change TCP connection timeout from 1 hour to 10 hours

class AS400-Telnet-FTP

  set connection timeout idle 10:00:00 reset

Site-B(5505) VPN config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer SITE-A-IP

crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto map outside_map interface BACKUP

crypto ikev1 enable outside

crypto ikev1 enable BACKUP

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

group-policy GroupPolicy_SITE-A-IP internal

group-policy GroupPolicy_SITE-A-IP attributes

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol ikev1

tunnel-group SITE-A-IP type ipsec-l2l

tunnel-group SITE-A-IP general-attributes

default-group-policy GroupPolicy_SITE-A-IP

tunnel-group SITE-A-IP ipsec-attributes

ikev1 pre-shared-key *****

!

class-map global-class

match default-inspection-traffic

class-map BACKUP-class-AS400-Telnet-FTP

match access-list BACKUP_mpc

class-map AS400-Telnet

match access-list outside_mpc

!

!

policy-map AS400-Telnet

class AS400-Telnet

  set connection timeout idle 10:00:00 reset

!

service-policy AS400-Telnet interface outside

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to ewieder

‎01-09-2013 02:05 PM

Hi,

I just wanted to know how the security association lifetime had been set. But it seems its on default setting as you have not set any specific value for the L2L VPN

The command is

crypto map set security-association lifetime

I once had an issue where the customer faced issues with some remote connections through L2L VPN. Then the customer had the value of 3600 seconds and we raised it back to the default and the problem didnt seem to bother them anymore

Then again when you consider that the SA lifetime was raised to 8 hours and a workday lasts 8 hours it would seem logical that if this was the cause for their problems it would be correct with using this value.

But as I said you seem to have the default setting so it isnt because of this. Just a long shot from my part but thought I'd ask just incase. Though thing is the above situation is the only situation where I have run into such a situation and dont specifically know if the lifetime alone has anything to do with it but it does makes sense in some way.

Have you debugged the VPN and logged connections to see what is happening when theres problems with connections?

- Jouni

0 Helpful

ewieder
Level 1
Level 1
In response to Jouni Forss

‎01-10-2013 05:06 AM

I thought about that as well, but it is set to the default values of 8 hours or 4608000 KBytes.  Neither were met when the issue happens.  I am thinking about raising these values, but not until I understand why the disconnects are happening when these values have not been met.

According to the AS/400 the session was dropped and here is the AS/400 error log

CPF5503    Diagnostic              30 

01/09/13  07:54:04.919496

Message . . . . :   Input or Output request failed.  See message CPF5140.     

Recovery  . . . :   See the message CPF5140. Correct the errors and then try  

  the request again. 

CPF5140    Diagnostic              70

01/09/13  07:54:04.919440 

Message . . . . :   Session stopped by a request from device QPADEV0084.      

Cause . . . . . :   The request shutdown was caused by either the user turning

  the power off, by a device error, or the ASCII controller inactivity timer  

  expired. Recovery  . . . :   Close the files and vary the device off (VRYCFG

  command). If the problem occurs again, enter the ANZPRB command to run      

  problem analysis.                                                           

I am researching what I need to do for the debug of the VPN tunnel.  Any guidance would be helpful in this area.

Thanks,

Eddie

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to ewieder

‎01-10-2013 05:50 AM

Maybe you've got unstable internet connection between sites and tunnel gets disconnected due to isakmp keepalives (DPD feature)?

0 Helpful

brett.adams
Level 1
Level 1

‎10-24-2013 09:00 AM

We too are experiencing this problem, however for us the problem occurs with users that have multiple sessions going at the same time but only primarily use one session so the other two sessions sit idle for anywhere from 15-30 minutes before they switch over to use them.  This is when it gets dropped.  I see no fix was ever posted so does anyone know what the cause may be?

0 Helpful
Customers Also Viewed These Support Documents