VPN site-to-site keeps dropping

josue.rios1 · ‎05-11-2017

I have a ASA 5520 on 8.4.3 we currently have a VPN connection to the Microsoft Azure Cloud. Everything is good except for the VPN tunnel "dropping" The Tunnel stays intact but we no longer have connectivity (pings, trace, remote desktop) access to the Azure environment. I log into the ASA via putty and do a clear crypto isakmp sa which reestablishes the connection but after about an hour or so we lose connectivity. I think it may have something to do with the Traffic volume on the Crypto Maps under the IPsec rule which is set at 4608000 KBytes and when I go to change it to zero it doesn't allow me to via ASDM. Does anybody know the command line to change the Traffic voume to zero so if we reach that volume it won't reshare? This is becoming a headache since all of our email and sharepoint access is flowing through this VPN tunnel.

Rahul Govindan · ‎05-11-2017

I believe disabling the kilobyte lifetime was only introduced in the 9.1(2) release onwards. The command is:

 crypto map <map-name> <seq-num> set security-association lifetime kilobytes unlimited

Reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c6.html

josue.rios1 · ‎05-11-2017

will changing the crypto map set security-association lifetime Kilobytes unlimited hurt the current configuration?

Cisco Freak · ‎05-12-2017

Hello Rahul,

Does this mean that by default the IPSEC security association will expire after passing 4608000 KB?

CF

Rahul Govindan · ‎05-12-2017

Yes, but the ASA usually does a rekey if the SA lifetime or kilobyte limit is about to expire so that the tunnel does not have to go down and re-establish.

josue.rios1 · ‎05-12-2017

I'm currently on the 8.4.3 version is there a way to change this either zero or unlimited through the command line? Azure has a threshold of 102400000 KB. When I do this though the Ping to our server in Azure environment drops after exactly 5 min. It is currently set at 4608000 KB.

Rahul Govindan · ‎05-12-2017

You can change the default value to a max of 2147483647 KB on the ASA. Unlimited is only allowed on 9.1(2) and above.

msamadpour · ‎05-16-2017

I ran into the very same issue. The tunnel would remain established for 60 minutes until a re-key. At that time, my RDP sessions would drop / pings would drop and automatically re-establish after approximately 3 seconds.

I needed the "sysopt connection preserve-vpn-flows" command

Reference to document below:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

After adding the command, my issues have been resolved.

dccampbell1 · ‎04-15-2020

The "sysopt connection preserve-vpn-flows" seems to have stop my connection issues as well! Thanks!

DualehFarah5284 · ‎05-15-2024

I have set up a route-based VPN between Cisco ASA and Azure; both phases 1 and 2 are riased, and the tunnel is up, but my problem is that the tunnel keeps going iddle or disconnecting every couple of hours. From the Cisco ASA side, the tunnel is showing up and the Azure side is showing connected but traffic stop passing tunnel,if I ping from Azure to my on-Prem PC, the ping timeout. Every time this happens, I need to reset the connection from the Azure side, and everything works again. VTI tunnell always showing up and Azure always showing connected but all traffic stop passing tunnel. The only solution to reset connection from Azure Virtual Network Gateway. I'm using ASA5508 and version 9.8.2.

Can someone help me or advise me if they see this kind of behavior? ASA and Azure route-based VPN

MHM Cisco World · ‎05-15-2024

Make new post it better

MHM