Site-to-site VPN between ASA-5506-X and Meraki is dropping connection

ArvindP · ‎09-13-2021

Hello,

We have a site-to-site IKEv1 VPN configured between our ASA-5506-X and a Meraki MX64.

It's been working fine for a while but the connection started dropping recently at random times. I already opened a ticket with Meraki and they ended up saying that the ASA is sending a "Close the connection" message to Meraki.

Our ASA is currently running on 9.5(1).

We have already ruled out any internet connection issues from both offices.

Any idea what else we should be looking into?

I included a sample of our log from the ASA.

Thanks!

MHM Cisco World · ‎09-13-2021

check the lifetime of IPSec in both side, I think the ASA lifetime is less than that of Meraki.
https://documentation.meraki.com/MX/Site-to-site_VPN/IPsec_VPN_Lifetimes

Sheraz.Salim · ‎09-14-2021

Provided log information is not enough. Are you running IKEV1 on both sides. If answer is yes. in that case make sure your Phase1 lifetime setting and Phase 2 lifetime setting are same.

In case when they are not same (let say example IKEV1 Phase 1 the lifetime is different) on both router/firewall the lower lifetime value win. but when it come to rekey this is where the problem occurred. as this happened in your case.

please do not forget to rate.

ArvindP · ‎09-14-2021

Yes, both sides are running IKEV1. The lifetime on Meraki is configured for 28800 seconds for both phase 1 and phase 2.

I'm not really sure how to check the lifetime of phase 1 and phase 2 on the ASA but this is what I see in the config:

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 28800

Sheraz.Salim · ‎09-14-2021

Could you confirm what are the pfs values you have set at your side.

show run all crypto map

please do not forget to rate.

ArvindP · ‎09-14-2021

This is what I have:

ws-5506x# show run all crypto map
crypto map shaw_map 1 match address shaw_cryptomap
crypto map shaw_map 1 set connection-type bi-directional
crypto map shaw_map 1 set peer X.X.X.X
crypto map shaw_map 1 set ikev1 phase1-mode main
crypto map shaw_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
no crypto map shaw_map 1 set tfc-packets
crypto map shaw_map interface shaw

Sheraz.Salim · ‎09-14-2021

Hi went through with you logs again and have a good look.

I noted there a syslog message "Reason: Lost Service".

%ASA-vpn-3-713123: Group = X.X.X.X, IP = X.X.X.X, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
%ASA-vpn-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xCD391451) between X.X.X.X and X.X.X.X (user= X.X.X.X) has been deleted.
%ASA-vpn-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x0D5A7296) between X.X.X.X and X.X.X.X (user= X.X.X.X) has been deleted.
%ASA-vpn-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xCB8D2F7A) between X.X.X.X and X.X.X.X (user= X.X.X.X) has been deleted.
%ASA-vpn-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x54D74A49) between X.X.X.X and X.X.X.X (user= X.X.X.X) has been deleted.
%ASA-vpn-5-713259: Group = X.X.X.X, IP = X.X.X.X, Session is being torn down. Reason: Lost Service
%ASA-auth-4-113019: Group = X.X.X.X, Username = X.X.X.X, IP = X.X.X.X, Session disconnected. Session Type: LAN-to-LAN, Duration: 2h:48m:32s, Bytes xmt: 431325, Bytes rcv: 358740, Reason: Lost Service
%ASA-session-6-302014: Teardown TCP connection 2045544 for shaw:192.168.1.10/51715 to inside:192.1

You sure you have not internet conjuction and the line (Internet line is healthy)?

here have look on this link.

could you post the vpn configuration for you vpn and the remote side vpn?

please do not forget to rate.