03-04-2009 04:35 AM
Hi,
I've got the following scenario:
[HQ_ASA5510_7.2(4)]
|
|
|
[[INTERNET]]
|
|
|
[(DynIP)ADSL_Router with NAT]
|
|
|
[(PrivIP)BRANCH_ASA5505_7.2(4)_EZvpn]
All the configuration was done via ASDM. The branch ASA is configured as an EasyVPN hardware client. The VPN connection can
be established without a problem.
The problem occurs when the ADSL line at the branch site disconnects once every 24 hours and gets a new public IP. Note: the
branch ASA is behind an ADSL Router (which is not under our control). After the disconnect the VPN tunnel does not seem to pass traffic. According to both ASAs the
tunnel is up, and does not get torn down by the ADSL disconnect.
As a workaround I have set the SA lifetime value from the default 8 hours to 10 minutes. After the ADSL line disconnects,
and the Lifetime expires, the key is recalculated and the tunnel passes traffic again...meaning that the disconnect will
last 10min in the worst case.
We will have 10 more branch offices soon. will this short SA lifetime have a negative effect on the HQ_ASA5510? We have 3
branch offices running with an SA lifetime of 10min, but the CPU load on the HQ_ASA is hardly noticeable at the moment.
I would like to find a more elegant solution, since a 10min disconnect is still unacceptable (Client working on Terminal
Server in HQ). An expert told me that this issue was resolved in ASA 8.0(4), but I had the same problem running the same
setup in a test lab on ASA 8.0(4). Also I've had some problems with the 8.0(4) version and QoS, so I want to avoid upgrading. Maybe I am missing something?
Any advice would be appreciated!
Ingo
03-04-2009 07:16 AM
Do you have keepalives enabled on both sides? since the ip address of the "peer" changes (ADSL that nats) the VPN server should not be able to reach with DPD the old IP hence causing the tunnel to renegotiate. On the VPN Client this might not apply though but the headquarter renegotiating should make the client to do that too
03-09-2009 03:58 AM
Thank you very much for the reply! Yes, keepalives are enabled on the HQ ASA for the correct Tunnel Group (default 300sec for easyvpn). I suppose the branch ASA will inherit this setting because of easyvpn? I have also tried changing it to a lower value (e.g. 10 sec as in L2L), but it didnt make a difference. Even if no traffic at all is attempting to pass through the tunnel, in which case keepalives should definately be sent.
Is this a known issue if the ASA is behind an ADSL router with NAT?? If not I will try to set up the lab again with a clean configuration and do some more in-depth troubleshooting.
04-22-2009 03:35 AM
Dear ingo
i have this senario with the asa5510 behind the adsl router in HO which does the static NAT. the clients using vpn clients can establish the vpn. but the problem is with the branch adslrouter877. i have configure it to use the ezvpn remote feature to connect to the asa. but it fails. any idea on this?
Afshan
04-23-2009 08:38 PM
Hi,
make sure you have NAT-Traversal turned on. Otherwise check the logs for errors...those will point you in the right direction.
Ingo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide