cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
6758
Views
0
Helpful
8
Replies

Site to site vpn tunnel disconnecting

rslodkowski
Level 1
Level 1

Hello-

I have  tunnels created between a main site and (2) remote locations. One site has ASA 5505 with 8.2(3) IOS, the other 8.2(1). Main site is running 8.2(3) also. I can get the tunnels to negotiate, however, after about 2-4 hrs one location will drop and cannot reconnect until a reload has been performed. Also, it is not always the same location. Any idea what could cause a tunnel to drop after it has been established and functional for a few hours?

8 Replies 8

Hi Rich,

If the tunnel is idle for a period of time (no traffic passing through) the ASAs will drop the Security Associations associated with the tunnel.

This is called the lifetime and is a normal process for IPsec. Check the lifetime with ''sh run cry isa'' and ''sh run cry ipse''

Also, if one site loses Internet, the VPN will drop on that site causing communication problems.

To avoid this problem, DPD can be configured.

Hope it helps.

Federico.

The tunnel is not idle when the the disconnect occurs, and the internet is not dropping. I have a ping set on the WAN interface as well as the lan (internal ip). The internal ip will stop responding, and the external ip will not skip a beat. I also start receiving these error messages - " Removing peer from peer table failed, no match!" and "Error: Unable to remove PeerTblEntry"  and constant " IKE Initiator: New Phase 1, Intf inside, IKE Peer 12.234.180.226  local Proxy Address 0.0.0.0, remote Proxy Address 10.78.0.0" . If I remove all tunnel info from both locations and recreate, reload, it will establish, but after a few hours it will disconnect again. My other tunnel seems to be stable and has not dropped as of yet ( at least 24 hrs.) Is there any other info you might need to help? I appreciate the efforts..thanks!

Rich,


The problem seems to be definitely with the VPN itself and not with the connection then...

What is the status of the tunnel when it goes down (silly question) but I mean what's the output of ''sh cry is sa''

Do you have the same lifetime values on both ends of the tunnel?

Re-keying should not cause trouble but to be on the safe side make sure both values are the same.

Question...

When the problem happens, if you won't delete all the config and recreate it but instead just clear the SAs and send interesting traffic... does the tunnel tries to initiate?

Federico.

Federico-

First, thanks for all your help. Since last reload, I have not seen the tunnel drop, but i will try the show cmd and post the results if and when the situation arises again. How would I go about clearing SAs and send intesting traffic?Thanks...

Rich,

To clear the phase 1 SAs between the ASAs ''clear cry isa sa'' to clear the phase 2 IPsec SAs between the ASAs ''clear cry ips sa''

The above commands will clear all IKE/IPsec SAs... so you can just clear the SA for the peer you're interested in '' clear cry ips sa peer x.x.x.x''

To send interesting traffic just initiate a connection through the tunnel to the other end.

This will trigger IPsec negotiations and will attempt to establish the tunnel again.

Federico.

Federico,

  I upgraded my main site to 8.2(3) just so all ASA's were running the same IOS (asdm updated as well). After reload, both tunnels connected and all seemed well. I was unable to obtain output of "sh cry is sa"  because the IT manger I am dealing with has just gotten used to reloading the ASA to reconnect. I have checked the lifetime values and they all match. I will try to get the output of  sh cry is sa command to you today and again thanks for all your help.

Federico,

I was able to run the command and here is the output from it after the tunnel disconnected

Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 12.184.187.130
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 12.52.236.50
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Result of the command: "sh cry is sa"

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 12.184.187.130
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 12.52.236.50
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Hi Rich,

From the below output it seems like the Phase 1 is up though VPN is not passing traffic. Please enable logging on your ASAs to a syslog server at debugging level preferably.

Then when the VPN tunnel goes down, you should be able to see some logs/error messages on the server from that time. Please capture those and post them here. Also, If possible, when the VPN tunnel goes down, please enable "debug cry isa 127" and "debug cry ips 127" and post it here prior to reloading the ASA.

Let me know how it goes!!

Regards,

Prapanch