cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
783
Views
0
Helpful
4
Replies
rooland12
Beginner

Site-to-Site VPN tunnel in ASA 5520

Hello everyone,

I've got a problem,We are having site-to-site VPN tunnel connected with our Client. Usuall the users connect  remote virtual desktop(may be Vmware) through the L2L tunnel. The problem is that the remote desktop gets disconnect intermittently(around 4 to 5 times a day) and automatically reconnects after around 40Seconds or so. I can't find any problem with the L2L tunnel as it is showing up for the last 6 hours or so.Also there is no packet drops(RTO) when I ping the peer IP.

If anyone have any idea whats going on please let me know.

  .

Thanks.

4 REPLIES 4
Michael Schueler
Cisco Employee

Hello Rooland,

This is hard to tell without further data. One possibility might be, that the ASA connection timeout, which is 1 hour by default, kicks in, if the remote virtual desktop connections within the tunnel are idle for a long time (i.e. >1 hour).

Please find further information on default timeouts on ASA and how to modify them here:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870

As a first test, I would propose to increase the connection timeout for the remove virtual desktop connections only via MPF using the "set connection timeout idle" command as described here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html#wp1080774

As new timeout, I would select a value larger the time after which you see connections dropping now.

Further useful commands to troubleshoot this would be "show conn" and "show local-host":

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s2.html#wp1396672

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s4.html#wp1487299

If the above doesn't help, I would recommend to open a TAC case, as we would need to look into simultaneous captures from the client, the client-side ASA and the server-side ASA plus syslogs from both ASAs next.

Regards,

Michael

Reyad Safi
Beginner

Hi

just i want to ask if you use static or dynamic public IP address


Hi Michael,

Thanks for the response. I may be wrong but I think there should be no problem with connection timeout value as the problem occurs even during active work is going on.When the remote desktop connectivity is lost, there is a slight pause (a frozen desktop or delay) then pop up message "connectivity lost trying to reconnect" .

@ Reyad we are using static IP address(for the Peer IP)

Regards,

Rooland

Hi Rooland,

I agree, if the issue occurs even while users are actively working on the remote desktop this is very unlikely a timeout issue.

As such, we would need to look into simultaneous packet captures and syslogs from both tunnel endpoints and the client now. I would thus recommend to open a TAC case regarding this. When opening the case, please upload the following data:

  • "show tech" output from both tunnel endpoints
  • Detailed topology diagram including the test client and server, both tunnel endpoints and IP addresses of all devices on all relevant interfaces
  • Simultaneous packet captures from the test client and the "inside" interface of both ASAs, collected while the issue occurs
  • Syslogs at debugging level from both ASAs from the same time period as the packet capture

Please find further information on packet captures on ASA here:

https://supportforums.cisco.com/docs/DOC-1222

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312

If you are unsure on how to collect the captures exactly, the TAC engineer will provide further guidance.

Regards,

Michael

Create
Recognize Your Peers
Content for Community-Ad