Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
2
Replies

Site-to-Cloud VPN rekey Problems

Dean Romanelli
Level 4
Level 4

‎02-16-2017 12:08 PM

Hi All,

I have an ASA 5505 with a site-to-site VPN tunnel to our cloud-based web-filter provider, which all internet traffic is sent to before it actually goes out to the internet. The VPN tunnel has two peer addresses which go to different geographical cloud nodes for redundancy. I only control my end of the tunnel (ASA 5505). Attached is a drawing depicting what is in place.

What I am finding is that the VPN keeps flipping from the primary UK peer to the backup France peer.  When that happens, UK-based users get annoyed and start flooding in tickets because their google searches come back in French, so I have to go into the ASA and bounce the VPN's manually to renegotiate back to primary peer. I can say with fair certainty that this is not an idle-timeout problem, because I have NTP polling through this tunnel every 64 seconds, so it is receiving interesting traffic roughly every minute. So that leaves rekeying as the likely culprit.

How can I mitigate this, or at a minimum set an automation script in the ASA to bounce the tunnels at X time daily to force back to primary peer?

Labels:
Preview file
37 KB
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-16-2017 01:01 PM

Do you know why this falls back over to the France tunnel? Usually if the peer is not reachable for 3 attempts of sending the IKE message, it should fall to the backup peer. Even if rekey fails, the ASA is going to expire the existing tunnel and build a new one to the first peer. Only if that fails should it fall to the secondary peer.

That being said, you can use EEM to do a "clear cry isakmp sa" and "clear crypto ipsec sa" every certain period. Another command is the "vpn-sessiondb logoff l2l" An example to clear RA VPN tunnels is here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html#anc7

0 Helpful

Dean Romanelli
Level 4
Level 4
In response to Rahul Govindan

‎02-21-2017 04:10 AM

Hi Rahul,

Thanks for replying. I didn't know rekey will try to reconnect to the first peer each time. Sounds like my cloud provider or the direct ISP is experiencing failures.  I will look deeper into that. Thanks.

As for EEM, unfortunately my firewalls are not running asa922+ code, so EEM is not available to me, but I appreciate the suggestion.

0 Helpful
Customers Also Viewed These Support Documents