L2L vpn between ASA 5505 Version 7.2(4) and PIX 506E Version 6.3

realmatrix · ‎06-29-2011

hi every body,

i have some dificulties with a vpn. on bothe sites the SA is configured with a lifetime of 8 hours and the max data of

536870912 KB - this is max amount supported on PIX 506E.

The tunnel is up and running but it does not remain built for the configured lifetime. Sometimes is still up for 2 Hours and somtimes for 30 min. When the tunnel is goning down i see following syslog message:

[from ASA]

Jun 28 09:46:25 fw-syslog-messages Outside_IP_ASA %ASA-6-713219: IP = Outside_IP_PIX, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jun 28 09:46:26 fw-syslog-messages Outside_IP_ASA %ASA-7-710006: ESP request discarded from Outside_IP_PIX to OUTSIDE:Outside_IP_ASA

Jun 28 09:46:30 fw-syslog-messages Outside_IP_ASA %ASA-7-713236: IP = Outside_IP_PIX, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 144

...

[from ASA END]

Then a new SA will be started

[from PIX]

Jun 28 09:46:30 fw-syslog-messages Outside_IP_PIX %PIX-7-702208: ISAKMP Phase 1 exchange started (local Outside_IP_PIX (responder), remote Outside_IP_ASA)

...

[from PIX END]

[from ASA]

Jun 28 09:46:30 fw-syslog-messages Outside_IP_ASA %ASA-7-713236: IP = Outside_IP_PIX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84

Jun 28 09:46:30 fw-syslog-messages Outside_IP_ASA %ASA-7-715047: IP = Outside_IP_PIX, processing SA payload

...

[from ASA END]

and a new Tunnel is up.

This occurs sporadically and remarkable becuase our application is connecting throught the tunnel to a MySQL DB.

Configs are attached!

What can i do to make sure that tunnel for 8 hours uninterrupted works?

Thank for your suggestions

Jennifer Halim · ‎06-30-2011

Can you try removing the kilobytes lifetime and just have the seconds lifetime configured on both end.

realmatrix · ‎06-30-2011

it was already without kB in SA. The kB i added after i saw it in running-config from ASA - whitout configuration by me, may be a default SA config on ASA - with an amount of 4608000 kB.

Since our data transported throught vpn is greater than this amount in 2 hours (up to 2 GB) i decided to bind the max amount supported by PIX on the other Site.

But same behavior

Jennifer Halim · ‎06-30-2011

This is actually strange because the data transported within the vpn tunnel should not get dropped.

The VPN will actually negotiate for a new key prior to the lifetime expiry, and in the meantime it will continue to use the old SA until the newly created SA is established.

Also, you are running a very very old version of PIX code. You might look to upgrade it.

realmatrix · ‎06-30-2011

what's the available image for 506E?

Jennifer Halim · ‎06-30-2011

The latest version availabe on PIX506E is 8.0.4(28)

realmatrix · ‎06-30-2011

ok i'll see when i can upgrade it. I think configuration will change with a version 8.

I hope you're right and the upgrade 'll solve my issue

I'll give you an update in the next days

Thanks

L2L vpn between ASA 5505 Version 7.2(4) and PIX 506E Version 6.3(5)125