Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
933
Views
0
Helpful
3
Replies

ASA VPN with VTI towards AWS goes down every 24 Hrs

vahabudeen
Level 1
Level 1

‎03-19-2020 04:24 PM

Hi,

 

 

I do have an L2L VPN between my AWS account and ASA using the VTI interface. And I am running my BGP with AWS through this VTI interface in ASA. Everything works fine but every 24 Hrs my VPN gets reset, Hence BGP is also flapping.

 

Your inputs will be highly appreciated.

 

Thanks

Vahab

Labels:
0 Helpful
3 Replies 3

Cristian Matei
VIP Alumni
VIP Alumni

‎03-19-2020 05:07 PM

Hi,

 

    24 hours, maybe just a coincidence, matches the default ISKAMP lifetime; could you change that to 12 hours and see if the problem appears again in 12 hours now.

 

Regards,

Cristian Matei.

0 Helpful

vahabudeen
Level 1
Level 1
In response to Cristian Matei

‎03-19-2020 06:20 PM

Thanks, Cristian for your quick response

 

I don't think it's a coincidence as this is repeating every 24 Hrs.

 

Here is my current ISAKMP policy. lifetime is time set to 8 Hrs.

 

crypto ikev1 policy 201
encryption aes
authentication pre-share
group 2
lifetime 28800
hash sha

 

 

I hope you are clear about my scenario.

Tunnel to AWS has been created as GRE over IPSec using VTI .

BGP peering with AWS VGW is through this VTI interface (GRE Tunnel ).

 

 

Thanks

Vahab

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to vahabudeen

‎03-27-2020 09:56 AM

Hi,

 

    Maybe things go wrong when Phase2 has key renegotiation, due to Phase2 lifetime. Are you using 24 hours there, most probably yes? Do you have a lifetime match between the VPN headends, not a requirement, but sometimes it can cause issues. When the problem shows up, issue a "show crypto ipsec sa peer x.x.x.x" and "show vpn-sessiondb detail l2l filter ipaddress x.x.x.x" and post it here.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents