10-14-2010 06:20 PM
we have a site-to-site IPSec tunnel between ASA5510 in our datacenter and ASA5510 a customer's datacenter. the tunnel was been up for years without any issue. There is another firewall at the customer's premises in front of the ASA5510. recently, the tunnel started going down after a few hours and there are two things we can do to re-establish the connection. one is to reload one of two ASA on either side or change ipsec setting such as NAT-T to enabled (or disabled), then the tunnel comes right back up but the outage happens again.
what could this be? we tried to fix this for two weeks now and I've decided to reach out the collective wisdom of this community. please help us!
10-15-2010 08:34 AM
Are you using NAT-T (udp/4500) or "straight" udp/500 + ESP/AH?
If you're not using NAT-T maybe the problem with this is connection for IKE expiring on the firewall in front?
Maybe extending the timeout for udp/500 could help? On ASA/FWSM default timeout for UDP is 2 minutes of inactivity.
Marcin
10-15-2010 02:38 PM
using NAT -T and ESP/AH. we have interesting traffic going across every 30 seconds so i don't think it's the time out issue.
what else could this be?
10-15-2010 02:59 PM
it cannot be NAT-T and esp/ah at the same time ;-)
If you're using NAT-T (and I mean if it's in effect not just configured) all your ESP/AH traffic is encapsulated into udp/4500.
If you're not using NAT-T you will have an IKE session up (udp/500) and ESP/AH channel.If you're using this and sending traffic all the time ESP/Ah will not time out but udp/500 may ...
Well start with checking basics vpn-session-time vpn-idle-timeout on VPN endpoints.
Monitor connections being torn created/torn down on the device in between.
Check logs on VPN endpoints to see what was the reason for tearing down the tunnel "Lost service"?
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide