Re: Site to site vpn between Cisco ASA and AWS dropping-IPSec SA Idle Timeout

sreeraj.murali · ‎04-06-2020

Hi,

I have Cisco ASA site to site VPN running with customer hosted on AWS.

ASA<--vpn--->AWS

Customer is having issues with intermittent connectivity issues, when trying to do an SFTP connectivity over VPN.

Saw below msgs from Cisco ASA syslog. The message says-IPSec SA Idle Timeout. Please find the below syslog msgs. Please suggest, what would be causing this issues.

Line 593740: 2020-04-06 04:41:23 Local4.Notice 10.20.56.4 %ASA-5-713050: Group = 209.166.154.156, IP = 209.166.154.156, Connection terminated for peer 209.166.154.156. Reason: IPSec SA Idle Timeout Remote Proxy 172.20.162.0, Local Proxy 10.20.57.0
Line 593752: 2020-04-06 04:41:23 Local4.Debug 10.20.56.4 %ASA-7-715009: Group = 209.166.154.156, IP = 209.166.154.156, IKE Deleting SA: Remote Proxy 172.20.162.0, Local Proxy 10.20.57.0
Line 595432: 2020-04-06 04:41:39 Local4.Debug 10.20.56.4 %ASA-7-714011: Group = 209.166.154.156, IP = 209.166.154.156, ID_IPV4_ADDR_SUBNET ID received--172.20.162.0--255.255.255.0
Line 595433: 2020-04-06 04:41:39 Local4.Debug 10.20.56.4 %ASA-7-713035: Group = 209.166.154.156, IP = 209.166.154.156, Received remote IP Proxy Subnet data in ID Payload: Address 172.20.162.0, Mask 255.255.255.0, Protocol 0, Port 0
Line 595455: Remote subnet: 172.20.162.0 Mask 255.255.255.0 Protocol 0 Port 0
Line 791085: 2020-04-06 05:11:53 Local4.Notice 10.20.56.4 %ASA-5-713050: Group = 209.166.154.156, IP = 209.166.154.156, Connection terminated for peer 209.166.154.156. Reason: IPSec SA Idle Timeout Remote Proxy 172.20.162.0, Local Proxy 10.20.57.0
Line 791097: 2020-04-06 05:11:53 Local4.Debug 10.20.56.4 %ASA-7-715009: Group = 209.166.154.156, IP = 209.166.154.156, IKE Deleting SA: Remote Proxy 172.20.162.0, Local Proxy 10.20.57.0
Line 796123: 2020-04-06 05:12:39 Local4.Debug 10.20.56.4 %ASA-7-714011: Group = 209.166.154.156, IP = 209.166.154.156, ID_IPV4_ADDR_SUBNET ID received--172.20.162.0--255.255.255.0
Line 796124: 2020-04-06 05:12:39 Local4.Debug 10.20.56.4 %ASA-7-713035: Group = 209.166.154.156, IP = 209.166.154.156, Received remote IP Proxy Subnet data in ID Payload: Address 172.20.162.0, Mask 255.255.255.0, Protocol 0, Port 0

Thanks

Sreeraj
Line 796146: Remote subnet: 172.20.162.0 Mask 255.255.255.0 Protocol 0 Port 0

Cristian Matei · ‎04-06-2020

Hi,

So the file transfer starts, works, and at some point it stops, an day looking at the ASA you see these messages? Or the file transfer doesn't actually work at all?

Regards,

Cristian Matei.

sreeraj.murali · ‎04-06-2020

Thanks for the prompt response.

Actually the connection doesnt establish at all as per the customer.

Also, have log 2 hrs before saying, that the connection established, see the below log for that. So it says, connection to sftp is not happening sometimes. Please advice.

Line 102339: 2020-04-06 03:25:56 Local4.Info 10.20.56.4 %ASA-6-302014: Teardown TCP connection 203436973 for OUTSIDE-162.223.163.231:172.20.162.107/50331 to ARP-PROD:10.20.56.51/22 duration 2:00:11 bytes 14091 Tunnel being brought up or torn down
Line 107831: 2020-04-06 03:26:47 Local4.Debug 10.20.56.4 %ASA-7-106100: access-list OUTSIDE-162.223.163.231_access_in permitted tcp OUTSIDE-162.223.163.231/172.20.162.107(52418) -> ARP-PROD/10.20.56.51(22) hit-cnt 1 first hit [0xe32c3e14, 0xc5181ead]
Line 107835: 2020-04-06 03:26:47 Local4.Info 10.20.56.4 %ASA-6-302013: Built inbound TCP connection 204072195 for OUTSIDE-162.223.163.231:172.20.162.107/52418 (172.20.162.107/52418) to ARP-PROD:10.20.56.51/22 (10.20.56.51/22)
Line 107835: 2020-04-06 03:26:47 Local4.Info 10.20.56.4 %ASA-6-302013: Built inbound TCP connection 204072195 for OUTSIDE-162.223.163.231:172.20.162.107/52418 (172.20.162.107/52418) to ARP-PROD:10.20.56.51/22 (10.20.56.51/22)
Line 110250: 2020-04-06 03:27:11 Local4.Debug 10.20.56.4 %ASA-7-106100: access-list ARP-PROD_access_in denied tcp ARP-PROD/10.20.56.51(22) -> OUTSIDE-162.223.163.231/172.20.162.107(50331) hit-cnt 1 first hit [0x44dc145c, 0x00000000]

Sheraz.Salim · ‎04-06-2020

configure these values

 group-policy nameOfYourPolicy attributes
    vpn-idle-timeout none
!
Value is for you to choose.  If you don’t manage your own group-policy than firewall will be using default group policy in which case you will need to modify it:

    group-policy DfltGrpPolicy attributes
    vpn-idle-timeout none

and if you want to verify your default timeout perform the following command and check IPSec attribute for this particular traffic:

sh vpn-sessiondb detail l2l

please do not forget to rate.

sreeraj.murali · ‎04-06-2020

Thanks, please see the current value and suggest.I believe, the timeout value is obtained from default policy.

group-policy GroupPolicy_209.166.154.156 internal
group-policy GroupPolicy_209.166.154.156 attributes
vpn-tunnel-protocol ikev1

Please guide what should be the change done ? So Is this an issue on Cisco ASA my end, which is causing this ?

Is there any change required on remote end ?

Sheraz.Salim · ‎04-06-2020

is your ASA initiator or responder?

show crypto isakmp sa

and also display the output of this command show run all group-policy GroupPolicy_209.166.154.156

please do not forget to rate.

sreeraj.murali · ‎04-06-2020

show crypto isakmp sa

1 IKE Peer: 209.166.154.156
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 68706

show run all group-policy GroupPolicy_209.166.154.156
group-policy GroupPolicy_209.166.154.156 internal
group-policy GroupPolicy_209.166.154.156 attributes
vpn-tunnel-protocol ikev1

deco-gw-01/ARP/act# show run all group-policy
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ikev1 ikev2
ip-comp disable
group-lock none
pfs disable
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
split-tunnel-all-dns disable
client-bypass-protocol disable
gateway-fqdn none
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
msie-proxy lockdown enable
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
security-group-tag none
periodic-authentication certificate none
webvpn
homepage none
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface private none
anyconnect firewall-rule client-interface public none
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles none
anyconnect ssl df-bit-ignore disable
anyconnect routing-filtering-ignore disable
group-policy GroupPolicy_209.166.154.156 internal
group-policy GroupPolicy_209.166.154.156 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_170.109.232.2 internal
group-policy GroupPolicy_170.109.232.2 attributes
vpn-tunnel-protocol ikev1

Sheraz.Salim · ‎04-06-2020

check with remote side what value they have configured.

also run debugs.

debug crypto condition peer 209.166.154.156

debug crypto ikev1 protocol 127

debug crypto ikev1 platform 127

debcry crypto ipsec 127

please do not forget to rate.

sreeraj.murali · ‎04-06-2020

Thanks, Value for idle timeout need to be checked at remote side?

This issue is intermittent. Connection establish sometimes, seeing the idle timeout related error, when connection doesn't establish.

Sheraz.Salim · ‎04-06-2020

yes double check the setting on the remote side also give us the output of debug i mentioned earlier.

please do not forget to rate.

sreeraj.murali · ‎04-08-2020

Hi,

Didnt see the issue for past 2 days, but i did see the idle time out msg. Probably i am thinking the tunnel will again pass the interesting traffic and make the tunnel active.

Will update the status in coming days. Thanks for the help.

sreeraj.murali · ‎04-10-2020

Hi Sheraz.Salim,

Just to be double sure, i made the idle-timout settings to unlimited.

 group-policy nameOfYourPolicy attributes
    vpn-idle-timeout none

Do we need to clear the isakmp, ipsec sa after we make the change to take this into effect ?

Please advice.

Thanks

Sreeraj

Cristian Matei · ‎04-06-2020

Hi,

Looks like the traffic is being NAT'ed. Is this expected, or should the VPN traffic be exempted from NAT?

Regards,
Cristian Matei.

sreeraj.murali · ‎04-06-2020

VPN traffic is NAT exempted.

Cristian Matei · ‎04-08-2020

Hi,

Is it running now? I see from your posted outputs that encryption domain seems to be between 10.20.57.0/24 and 172.20.162.0/124. However, the posted log messages where showing connection attempts from 10.20.56.51, which does not seem to be in the encryption domain. How many ACE's do you have in your encryption ACL?

Regards,

Cristian Matei.