Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1010
Views
5
Helpful
6
Replies

Cisco ASA 5508 site to site vpn is disconnecting frequently.

Go to solution
gprudhvi523@gmail.com
Level 1
Level 1

‎07-05-2019 05:19 AM

Hi Team,

 

I have a site to site VPN configured between two ASA firewalls. And I have two ISP's (ISP1 and ISP 2)at my end for failover to support redundancy.

Issue :

The Site to Site VPN's is disconnecting frequently.

As a first step, I thought it was due to lifetime kilobytes so I have set the lifetime kilobytes to unlimited but still, I am facing the same issue.

Later one day ISP2(redundant)  was down due to some reason at the ISP side for one day I didn't find any disconnections during the day.

Then I have noticed the issue exists only when two ISP is active on my ASA, I am not sure what causing the issue.

 

It works well when only one ISP is connected, it may be ISP1 or ISP2. VPN disconnects if both are connected to the ASA.

I am having issues with only the VPN everything else works fine.

 

Please help me in resolving the issue.

 

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
GRANT3779
Spotlight
Spotlight
In response to gprudhvi523@gmail.com

‎07-08-2019 12:30 AM

Hi,
I would use your ISP GW address as your target for SLA. If you are using an address further down in the "Internet" it might not be your ISP that is down overall.
If the SLA is failing over, then your VPN will be building over the second ISP and then rebuilding over the normal ISP when it comes back up which may be causing problems. VPNS are sensitive souls...
Highly likely this drop won't be noticed by "normal" traffic / end user when surfing the net etc..

View solution in original post

Go to solution
gprudhvi523@gmail.com
Level 1
Level 1
In response to GRANT3779

‎07-08-2019 01:24 AM

This is resolved after changing the SLA IP address to the ISP gateway.

 

Thanks for the support.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
GRANT3779
Spotlight
Spotlight

‎07-05-2019 06:17 AM

How is the redundancy setup on the ASA for fail over between the ISPs at your side?
0 Helpful

Go to solution
gprudhvi523@gmail.com
Level 1
Level 1
In response to GRANT3779

‎07-07-2019 09:46 PM

sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
service sw-reset-button

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to gprudhvi523@gmail.com

‎07-07-2019 10:41 PM

What is the address you are pinging within the SLA? The ISP GW or something else?
I'd be looking to setup traps to a syslog server for the SLA and then look into the possibility of it flapping and any potential link between this and the VPN hanging.
0 Helpful

Go to solution
gprudhvi523@gmail.com
Level 1
Level 1
In response to GRANT3779

‎07-07-2019 11:56 PM

It is pinging to 4.2.2.2 and I think its a default address for SLA.

I could see a few drops for 4.2.2.2, Is it something causing the issue??

Then why not it is affecting my internet communication?

Observations:

1. No drops in the internet

2. Noticed drops in the SLA IP address

3. VPN is reconnecting during the same time.

4. No drops in the remote tunnel IP address.

 

Preview file
603 KB
0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to gprudhvi523@gmail.com

‎07-08-2019 12:30 AM

Hi,
I would use your ISP GW address as your target for SLA. If you are using an address further down in the "Internet" it might not be your ISP that is down overall.
If the SLA is failing over, then your VPN will be building over the second ISP and then rebuilding over the normal ISP when it comes back up which may be causing problems. VPNS are sensitive souls...
Highly likely this drop won't be noticed by "normal" traffic / end user when surfing the net etc..

Go to solution
gprudhvi523@gmail.com
Level 1
Level 1
In response to GRANT3779

‎07-08-2019 01:24 AM

This is resolved after changing the SLA IP address to the ISP gateway.

 

Thanks for the support.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents