the client is the router and

smolz · ‎02-17-2015

I have a 2921 that is connected to an ASA (8.2.5) using easyVPN in network extension mode, the asa is the server.

It is setup with split tunneling with a handful of subnets that are configured to go across the vpn tunnel. The router connects successfully and i can pass traffic back and forth.

the issue i am having is that if i let the router sit for a while i can no longer connect to it from one of the subnets that are allowed.

If I do a show crypto ips sa from the router i see all of the subnets that are allowed, if i do that i on the asa i only see usually see one subnet. That subnet is the one that most of the traffic is to/from, the others are very occasional. Now if i go to host on the other side of the tunnel and ping a host in one of the other subnets i see the tunnel re-establish and after 1 dropped ping it is successful.

Then if i go back to the original host that wasnt working, it now works. so it seems that the unused subnets are falling off the tunnel until accessed from the remote side back. Is that expected behavior?

Raja Periyasamy · ‎02-17-2015

Is the Client configured to connect always or is it configured to connect only when interesting traffic is seen?

if the SA is seen on the router and not seen on the ASA then the router will try to encrypt the traffic and send it across and the ASA will drop it saying that the packet was received with invalid SPI.

smolz · ‎03-11-2015

the client is the router and the router always has all of the SA's. it is the ASA that does not have the other SA's.

If I do a show crypto ips sa from the router i see all of the subnets that are allowed, if i do that i on the asa i only see usually see one subnet. That subnet is the one that most of the traffic is to/from, the others are very occasional. Now if i go to host on the other side of the tunnel and ping a host in one of the other subnets i see the tunnel re-establish and after 1 dropped ping it is successful.

Let me draw it out in 2 steps, the first when the tunnel establishes and then after some amount of time.

Tunnel Newly Established

Router (Client) ---------------------------------------------------------------------> ASA (HUB)

SA's SA's

10.1.1.0/24 10.1.1.0/24

10.1.2.0/24 10.1.2.0/24

10.1.3.0/24 10.1.3.0/24

After some of time of the tunnel being established

Router (Client) ---------------------------------------------------------------------> ASA (HUB)

SA's SA's

10.1.1.0/24 10.1.1.0/24

10.1.2.0/24

10.1.3.0/24

Rejohn Cuares · ‎03-11-2015

I'd suggest you setup an IP SLA on the client side (Router) to keep the SA alive.

Other solution is by configuring crypto ipsec security-association idle-time seconds or crypto ipsec security-association dummy" (this option is similar to IP SLA which constantly sends dummy packets).

Please rate replies and mark question as "answered" if applicable.

EasyVPN 2921 to ASA