03-06-2010 02:27 PM - edited 02-21-2020 04:32 PM
Hello
I have a Central Office with a Cisco ASA 5510 connected to several remote locations with ASA5505
The site to site VPNs work well, but sometimes some of them fail. After some research I found that, it that situation, the IKE and IPSec SAs are working, but traffic only crosses the tunnel in one direction. As an example, if I ping a remote host, it receives the ping request and sends the ping reply, but this reply never crosses the tunnel back.
As far as I know, it seems to happen randomly, at least I couldn't find a pattern. I tried logging out the tunnel by means of the ASDM but, when the tunnel re-establishes, the same happens. The only solution is to force a reload of the ASA5505 in the remote location, and then it starts to work normally (I can't do a reload on the 5510, as it would break the connection with the rest of remote locations).
The only clue I have is that it can only affect one of the several IPSec SAs of the IKE session while the rest of SAs of that session keep on working and, when failing, the data rekey lifetime of that IPSec SA is 0 KB:
WORKING SA:
IPSec:
Session ID : 2
Local Addr : X.X.X.X/255.255.255.0/0/0
Remote Addr : X.X.X.X/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 18401 Seconds
Rekey Int (D): 3825000 K-Bytes Rekey Left(D): 3824715 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Bytes Tx : 22570303 Bytes Rx : 35752322
Pkts Tx : 490855 Pkts Rx : 408700
FAILING SA:
IPSec:
Session ID : 3
Local Addr : X.X.X.X/255.255.255.0/0/0
Remote Addr : X.X.X.X/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 14862 Seconds
Rekey Int (D): 3825000 K-Bytes Rekey Left(D): 0 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Bytes Tx : 67264 Bytes Rx : 0
Pkts Tx : 1051 Pkts Rx : 0
This led me to notice that, even when both 5510 and 5505 have the same traffic volume lifetime settings for the SA, the Rekey Data interval of the SAs is different between 5505 and 5510 (4275000 KB for 5505 and 3825000 KB for 5510 for by default setting of 4608000 KB; I tried changing this value to 5000000 in both devices and their new intervals were also different between them). I don't know if it's something to do with my problem, but seems quite odd.
I've looked for a solution in manuals and also browsed the Internet but with no result, so I would be very grateful if someone could give me some advice.
Thanks and regards
03-10-2010 11:03 AM
Hello,
I have the seem problem starting 5 March on two remote ASA5505 boxes. The central hub is a Cisco Router (28xx), owned be the ISP.
Troubleshooting so far with the ISP gives that on their end there were no changes and everything looks okay.
On our end there were no changes as well.
I am running 8.2.1. on the ASA5505, which are you running?
Many thanks and regards,
Frank
03-10-2010 02:25 PM
Are your tunnels bidirectional?
Did you try to initiate the tunnel from the other end?
Can you just try to use the lifetime instead of amount of data? I also remember seeing some issues using the same lifetime for all tunnels. I probably think you have the same lifetime as 28800 seconds for all the tunnels. So that may not be an issue in your case but worth changing the lifetime for the problem tunnel.
When you have the problem what does your sh crypto isakmp sa and sh crypto ipsec sa show for that tunnel on both ASA units?
Thanks
Sarat
03-12-2010 01:40 PM
I have the exact same issue on 8.2 and about to downgrade back to 8.0 version. The tunnel comes up fine, shows up on both ends. I ping a host on the ASA running 8.2 and I can see the traffic being decrypted but nothing ever comes back over. I've seen others with this issue as well, all running 8.2...
05-13-2011 11:33 AM
Did you find a fix for this?
05-13-2011 11:34 AM
Did you find a fix for this?
05-13-2011 11:39 AM
Dear Jesse,
Yep we solved it. It was a caveat in all pre 8.2.2.16 ASA firmware
Verzonden vanaf mijn iPhone 4
Op 13 mei 2011 om 20:34 heeft "jesse.zepeda"
Frank van Breugel,
A new message was posted in the Discussion thread "Rekey data left of 0KB in ASA 5505-5510 seems to make IPSec SA fail":
https://supportforums.cisco.com/message/3357244#3357244
Author : jesse.zepeda
Profile : https://supportforums.cisco.com/people/jesse.zepeda
Message:
05-13-2011 11:58 AM
05-17-2011 03:42 PM
Hi Jesse,
Here it is, sorry for the delay.
CSCtb53186 Duplicate ASP crypto table entry causes firewall to not encrypt traffic
Met vriendelijke groet,
Frank van Breugel
Technisch Consultant
E f.vanbreugel@caase.com
M 06-12092679
The Corridor
Hengelosestraat 525
7521 AG Enschede
Postbus 783
7500 AT Enschede
T 088-432 00 00
I www.caase.com
05-25-2011 12:05 PM
Does the version upgrade need to be applied to the head-end firwall (5510) or the remote firewall (5505)? I may be having this same issue, but it only affects VPN connections from ASA firewalls and not from PIX firewalls, so I was thinking it would have to do with the 5505 code. Except that I see two ISAKMP SAs on the corporate side, one showing rekey. I hadn't checked the ASP table or looked to see if the data was at 0k.
The reason I ask which device needs to be running the fixed version is that our head-end firewall is already running 8.3(2) which is in the fixed version list. We are running 8.2(2)22 on our remote ASA5505 firewalls which are the only ones that are having the issue.
Thanks,
Mark
09-29-2011 02:23 PM
Had this issue tonight.
Thanks to the forum, I know why, and how to fix it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide