ā11-11-2010 11:14 AM
Hello-
I have tunnels created between a main site and (2) remote locations. One site has ASA 5505 with 8.2(3) IOS, the other 8.2(1). Main site is running 8.2(3) also. I can get the tunnels to negotiate, however, after about 2-4 hrs one location will drop and cannot reconnect until a reload has been performed. Also, it is not always the same location. Any idea what could cause a tunnel to drop after it has been established and functional for a few hours?
ā11-11-2010 12:16 PM
Hi Rich,
If the tunnel is idle for a period of time (no traffic passing through) the ASAs will drop the Security Associations associated with the tunnel.
This is called the lifetime and is a normal process for IPsec. Check the lifetime with ''sh run cry isa'' and ''sh run cry ipse''
Also, if one site loses Internet, the VPN will drop on that site causing communication problems.
To avoid this problem, DPD can be configured.
Hope it helps.
Federico.
ā11-11-2010 12:54 PM
The tunnel is not idle when the the disconnect occurs, and the internet is not dropping. I have a ping set on the WAN interface as well as the lan (internal ip). The internal ip will stop responding, and the external ip will not skip a beat. I also start receiving these error messages - " Removing peer from peer table failed, no match!" and "Error: Unable to remove PeerTblEntry" and constant " IKE Initiator: New Phase 1, Intf inside, IKE Peer 12.234.180.226 local Proxy Address 0.0.0.0, remote Proxy Address 10.78.0.0" . If I remove all tunnel info from both locations and recreate, reload, it will establish, but after a few hours it will disconnect again. My other tunnel seems to be stable and has not dropped as of yet ( at least 24 hrs.) Is there any other info you might need to help? I appreciate the efforts..thanks!
ā11-11-2010 01:04 PM
Rich,
The problem seems to be definitely with the VPN itself and not with the connection then...
What is the status of the tunnel when it goes down (silly question) but I mean what's the output of ''sh cry is sa''
Do you have the same lifetime values on both ends of the tunnel?
Re-keying should not cause trouble but to be on the safe side make sure both values are the same.
Question...
When the problem happens, if you won't delete all the config and recreate it but instead just clear the SAs and send interesting traffic... does the tunnel tries to initiate?
Federico.
ā11-11-2010 02:00 PM
Federico-
First, thanks for all your help. Since last reload, I have not seen the tunnel drop, but i will try the show cmd and post the results if and when the situation arises again. How would I go about clearing SAs and send intesting traffic?Thanks...
ā11-11-2010 02:04 PM
Rich,
To clear the phase 1 SAs between the ASAs ''clear cry isa sa'' to clear the phase 2 IPsec SAs between the ASAs ''clear cry ips sa''
The above commands will clear all IKE/IPsec SAs... so you can just clear the SA for the peer you're interested in '' clear cry ips sa peer x.x.x.x''
To send interesting traffic just initiate a connection through the tunnel to the other end.
This will trigger IPsec negotiations and will attempt to establish the tunnel again.
Federico.
ā11-12-2010 08:06 AM
Federico,
I upgraded my main site to 8.2(3) just so all ASA's were running the same IOS (asdm updated as well). After reload, both tunnels connected and all seemed well. I was unable to obtain output of "sh cry is sa" because the IT manger I am dealing with has just gotten used to reloading the ASA to reconnect. I have checked the lifetime values and they all match. I will try to get the output of sh cry is sa command to you today and again thanks for all your help.
ā11-12-2010 03:24 PM
Federico,
I was able to run the command and here is the output from it after the tunnel disconnected
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 12.184.187.130
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 12.52.236.50
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Result of the command: "sh cry is sa"
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 12.184.187.130
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 12.52.236.50
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ā11-13-2010 07:03 AM
Hi Rich,
From the below output it seems like the Phase 1 is up though VPN is not passing traffic. Please enable logging on your ASAs to a syslog server at debugging level preferably.
Then when the VPN tunnel goes down, you should be able to see some logs/error messages on the server from that time. Please capture those and post them here. Also, If possible, when the VPN tunnel goes down, please enable "debug cry isa 127" and "debug cry ips 127" and post it here prior to reloading the ASA.
Let me know how it goes!!
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide