IPSec dropping between ASA routers

Dustin Barnett · ‎02-15-2011

Hi,

I'm having a problem with a single tunnel dropping. It seems to be going down approximately every 30 minutes, and then reconnects automatically, but the downtime is causing issues because of the apps being used require a constant connection.

Both ends are ASA devices, and both ends have multiple tunnels going to other destinations that are solid.

A---B

/ \

C D

Routers A and B are experiencing the dropped connections. Routers C and D have no problems with dropped connections. I was thinking it may be an ISP issue, but since both ends have tunnels with no issues it seems to rule that out.

Generally seeing this in the logs before disconnecting:

Group = 12.198.x.x, IP = 12.198.x.x, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

Thanks in advance!

Update:
The tunnel seems to be dropping when there is no VPN traffic. A ping to the remote network will re-establish the connection, but it will die quickly after that. Keep alive settings are configured the same as the other tunnel that is not having a problem.

martin_knorre · ‎02-16-2011

Hi Dustin,

the debugging indicates that it's maybe a failure because of the timeout in the Group Policy on the ASA.

It can be that the default policy is active at one tunnel endpoint and doesn't recognize that data and after 30min (default value) sets it's timeout.

Regards

Martin

Dustin Barnett · ‎02-16-2011

Thanks for the reply. I am leaning towards a keep alive problem, probably on the remote end I'm guessing. It looks like the 30 minute figure was random... Looking into it further it seems that any time there is no traffic over the tunnel it drops. Pinging an address on the other side brings the tunnel back up, but this causes problems in our apps.

Do you know what keep alive settings I should check for on both ends?

Thanks!

Dustin Barnett · ‎02-16-2011

I was comaring the settings in the VPN Statistics -> Sessions area of the ASDM, and noticed a difference but haven't been able to change it yet:

Router A: Rekey Data Interval: 3825000 K-Bytes

Router B: Rekey Data Interval: 4608000 K-Bytes

I have checked all settings through the GUI and they seem to match up normally.

martin_knorre · ‎02-17-2011

Hey Dustin,

are you using the same ASA version on both FW's ???

What you described was my first idea about the problem, but I read yesterday in some studie guides of a collegue and the problem can either a missmatch in versions, the IKE keepalive (Tunnel Groups) or crypto map keepalive (Security Association Lifetime settings).

Can you set the keepalive timevalue to 24 hours and a datavolume to 1Gb before the lifetime runs out. And if you can test other values like 10 minutes and less than 50Mb so you can look if that causes the problem.

Regards

Martin

Dustin Barnett · ‎02-17-2011

The version on the remote end is 8.0(2). The other side is 8.2(1).

Unfortunately, the remote end is quite far, so I don't have physical access to it, making an upgrade difficult.

I'll look into trying the other suggestions.

Dustin Barnett · ‎02-25-2011

It looks like the problem was an internal IP conflict. We also adjusted DPD timeout settings, so it may have been a combination
of both.

The tunnel is now working normally.