Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
0
Helpful
0
Replies

VPN between ASA and router strange behavior

remi-reszka
Level 1
Level 1

‎10-02-2018 11:41 AM

Hello,

I'm observing a strange behavior on the router while VPNed with ASA. I have a simple site-to-site VPN between a router 1921 (remote site) behind NAT and with dynamic public IP address on the modem and 2 ASA5525's in Active-Active configuration (main site). On the router I have some IP SLA services to keep the tunnel up and also to verify reachability to the servers on the main site. Every 57min or so the IP SLA timeout and come up after 5sec (I have frequency set to 5sec on each IP SLA). Below I paste the syslog messages for the tracking. Until here this behavior I guess is normal since the the router and ASA negotiate new SAs hence new tunnel 180sec right before the old SAs expire (I have the SA lifetime set to 3600 seconds and 4608000 kilobytes on both sites). The new tunnel is up and the IP SLAs are in OK state. What is strange that sometimes, here it can take 1, 2 days or even more the IP SLAs timeout and never come up even if the SAs renegotiate well. The new tunnel is up on both sites, there is communication from the main site to the remote site but the remote site cannot communicate with the main site, IP SLAs stay in Timeout state.

 

The only remedy for that is if I go to the ASA and "clear crypto isakmp sa". When the new SAs are negociated then the IP SLAs come up and the communication from the remote site to the main site is restored.

 

What could be causing this issue? Something to do the public IP address change on the modem in the remote site? If so how can I fix it?

 

Thank you for any suggestions.

Regards,

Remy

 

 

 


*Oct  2 11:23:20: %TRACK-6-STATE: 11 ip sla 11 reachability Up -> Down
*Oct  2 11:23:20: %TRACK-6-STATE: 12 ip sla 12 reachability Up -> Down
*Oct  2 11:23:20: %TRACK-6-STATE: 13 ip sla 13 reachability Up -> Down
*Oct  2 11:23:20: %TRACK-6-STATE: 14 ip sla 14 reachability Up -> Down

*Oct  2 11:23:25: %TRACK-6-STATE: 11 ip sla 11 reachability Down -> Up
*Oct  2 11:23:25: %TRACK-6-STATE: 12 ip sla 12 reachability Down -> Up
*Oct  2 11:23:25: %TRACK-6-STATE: 13 ip sla 13 reachability Down -> Up
*Oct  2 11:23:25: %TRACK-6-STATE: 14 ip sla 14 reachability Down -> Up


*Oct  2 12:20:20: %TRACK-6-STATE: 11 ip sla 11 reachability Up -> Down
*Oct  2 12:20:20: %TRACK-6-STATE: 12 ip sla 12 reachability Up -> Down
*Oct  2 12:20:20: %TRACK-6-STATE: 13 ip sla 13 reachability Up -> Down
*Oct  2 12:20:20: %TRACK-6-STATE: 14 ip sla 14 reachability Up -> Down

*Oct  2 12:20:25: %TRACK-6-STATE: 11 ip sla 11 reachability Down -> Up
*Oct  2 12:20:25: %TRACK-6-STATE: 12 ip sla 12 reachability Down -> Up
*Oct  2 12:20:25: %TRACK-6-STATE: 13 ip sla 13 reachability Down -> Up
*Oct  2 12:20:25: %TRACK-6-STATE: 14 ip sla 14 reachability Down -> Up


*Oct  2 13:16:50: %TRACK-6-STATE: 11 ip sla 11 reachability Up -> Down
*Oct  2 13:16:50: %TRACK-6-STATE: 12 ip sla 12 reachability Up -> Down
*Oct  2 13:16:50: %TRACK-6-STATE: 13 ip sla 13 reachability Up -> Down
*Oct  2 13:16:50: %TRACK-6-STATE: 14 ip sla 14 reachability Up -> Down

*Oct  2 13:17:25: %TRACK-6-STATE: 11 ip sla 11 reachability Down -> Up
*Oct  2 13:17:25: %TRACK-6-STATE: 12 ip sla 12 reachability Down -> Up
*Oct  2 13:17:25: %TRACK-6-STATE: 13 ip sla 13 reachability Down -> Up
*Oct  2 13:17:25: %TRACK-6-STATE: 14 ip sla 14 reachability Down -> Up

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents