Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4880
Views
15
Helpful
7
Replies

Site to Site VPN Timeout

forrestaiq
Level 1
Level 1

‎05-23-2013 10:54 AM

We have a vpn between an ASA 5505 and ASA5512X.  We mainly use this tunnel for remote work (ssh, X forwarding, etc) but 2 to 3 times daily all user ssh sessions will timeout.  All users connect to different hosts, and if they use the ssl vpn, the timeout never happens.

our vpn tunnel is configured with IKE v2, AES256. keepalives are monitored with a confidence interval of 10sec and retry interval of 2 secs. 

I'm not sure what causes this timeout, any idea's on where to start looking?

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

‎05-23-2013 11:03 AM

Hi,

Maybe the L2L VPN connections lifetime (seconds/kilobytes) is reaching its end and after that when the ASA gets new session keys/security association for the existing L2L VPN connection it might cause interruption of the connections through that L2L VPN

You can either run into the limit that is set in seconds or reach the data amount gone through the tunnel and the first one reached will trigger the new negotiation on the L2L VPN.

I dont know if this is the thing causing problems but I have had couple of cases were too tight lifetime settings have caused problems for users TCP connections to the remote site.

You could either be using your global lifetime configurations or the ones configured specifically for this L2L VPN connection.

You can also use the "show crypto ipsec sa peer " to view some output and it will list the current lifetime in seconds/kilobytes.

As I said I dont know if this is causing the problems but might be one thing worth checking

- Jouni

forrestaiq
Level 1
Level 1
In response to Jouni Forss

‎05-23-2013 12:26 PM

Thank you for the response, we currently have 2 hours left on the SA, so i'll check that out and go from there.  Ideally, i could change this frome 8 hours to 24 hours, reboot a router at say 10pm, then expect a renegotitation after hours regularly correct?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to forrestaiq

‎05-23-2013 12:33 PM

Hi,

This depends on the amount of data going through the L2L VPN connection. I mean the amount of data transfered through the L2L VPN could trigger the event well before the actual time limit was reached. It ofcourse depends on how much data is passed through the connection. Though I guess by default it would take 4Gb to reach the data limit.

If the data limit is never reached before the timelimit then I would imagine that an 8h limit shouldnt cause such regular problem.

Is there any other connections through the L2L VPN than the SSH connections? Have you checked what log messages are being given when the connections timeout on the ASA?

Also now that I think of it I think there is this one command that should preserve the TCP connections in the event that the L2L VPN is temporarily down.

ASA(config)# sysopt connection ?

configure mode commands/options:

       permit-vpn                    Exempt VPN traffic from access check

        preserve-vpn-flows     Preserve stateful VPN flows when the tunnel drops

       reclassify-vpn                Reclassify existing flows when VPN tunnels establish

       tcpmss                        Set maximum TCP MSS limit, specify keyword minimum to

                                          configure minimum TCP MSS limit. Defaults for maximum and

                                          minimum limits are 1380 and 0 bytes respectively

       timewait                       TCP connection undergoes TIMEWAIT state

- Jouni

forrestaiq
Level 1
Level 1
In response to Jouni Forss

‎05-23-2013 12:49 PM

we do send more data than just ssh, but not often. Honestly i don't know what the other users could be sending back and forth, it could be scp or rsync traffic as well. there was however a time when i was rsyncing large files, and the tunnel went down more frequently, so that makes sense.

i see the command your talking about, how do i invoke it?  do i apply it to the vpn policy?  I created these vpn within the ASDM, can i add this option there, or do i just issue the command?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to forrestaiq

‎05-23-2013 01:06 PM

Hi,

I rarely use ASDM to do any configurations. You can do this both in ASDM and CLI though.

I checked the ASDM on my ASA and it seems you have to go here to enable this setting through ASDM

Configuration -> Site-to-Site VPN -> Advanced -> System Options -> check the box with Preserve statefull VPN flows when the tunnel drops

Doing the same through CLI would involve just inserting single command

ASA(config)# sysopt connection preserve-vpn-flows

- Jouni

forrestaiq
Level 1
Level 1
In response to Jouni Forss

‎05-23-2013 01:34 PM

On a side note, i started a n rsync to max out our allowed traffic limit, and sure enough, sessions dropped once the limit was reached.  I've enabled preservation on both routers, and will report back to you. 

Thanks a ton for your help.

0 Helpful

forrestaiq
Level 1
Level 1
In response to forrestaiq

‎05-23-2013 01:26 PM

i assume, obviously, i do this on both routers?

0 Helpful
Customers Also Viewed These Support Documents