Site-to-Site VPN tunnel in ASA 5520

rooland12 · ‎03-22-2011

Hello everyone,

I've got a problem,We are having site-to-site VPN tunnel connected with our Client. Usuall the users connect remote virtual desktop(may be Vmware) through the L2L tunnel. The problem is that the remote desktop gets disconnect intermittently(around 4 to 5 times a day) and automatically reconnects after around 40Seconds or so. I can't find any problem with the L2L tunnel as it is showing up for the last 6 hours or so.Also there is no packet drops(RTO) when I ping the peer IP.

If anyone have any idea whats going on please let me know.

.

Thanks.

Michael Schueler · ‎03-28-2011

Hello Rooland,

This is hard to tell without further data. One possibility might be, that the ASA connection timeout, which is 1 hour by default, kicks in, if the remote virtual desktop connections within the tunnel are idle for a long time (i.e. >1 hour).

Please find further information on default timeouts on ASA and how to modify them here:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1540870

As a first test, I would propose to increase the connection timeout for the remove virtual desktop connections only via MPF using the "set connection timeout idle" command as described here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html#wp1080774

As new timeout, I would select a value larger the time after which you see connections dropping now.

Further useful commands to troubleshoot this would be "show conn" and "show local-host":

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s2.html#wp1396672

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s4.html#wp1487299

If the above doesn't help, I would recommend to open a TAC case, as we would need to look into simultaneous captures from the client, the client-side ASA and the server-side ASA plus syslogs from both ASAs next.

Regards,

Michael

Reyad Safi · ‎03-28-2011

Hi

just i want to ask if you use static or dynamic public IP address

rooland12 · ‎03-28-2011

Hi Michael,

Thanks for the response. I may be wrong but I think there should be no problem with connection timeout value as the problem occurs even during active work is going on.When the remote desktop connectivity is lost, there is a slight pause (a frozen desktop or delay) then pop up message "connectivity lost trying to reconnect" .

@ Reyad we are using static IP address(for the Peer IP)

Regards,

Rooland

Michael Schueler · ‎03-29-2011

Hi Rooland,

I agree, if the issue occurs even while users are actively working on the remote desktop this is very unlikely a timeout issue.

As such, we would need to look into simultaneous packet captures and syslogs from both tunnel endpoints and the client now. I would thus recommend to open a TAC case regarding this. When opening the case, please upload the following data:

"show tech" output from both tunnel endpoints
Detailed topology diagram including the test client and server, both tunnel endpoints and IP addresses of all devices on all relevant interfaces
Simultaneous packet captures from the test client and the "inside" interface of both ASAs, collected while the issue occurs
Syslogs at debugging level from both ASAs from the same time period as the packet capture

Please find further information on packet captures on ASA here:

https://supportforums.cisco.com/docs/DOC-1222

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312

If you are unsure on how to collect the captures exactly, the TAC engineer will provide further guidance.

Regards,

Michael