Re: VPN Timeout Help!

tomas roberton · ‎04-05-2018

Hi Guys,

I'm having some trouble with users losing RDP access to a remote server throughout the day. The device is an ASA 5506 running ASA 9.5 (1). The RDP server is hosted in Microsoft Azure and is being accessed through a VPN tunnel.

The page on ASDM Monitoring > VPN > VPN Statistics Sessions page was showing the site to site VPN "Login Time Duration" to always be approximately an hour so it seemed to be disconnecting each hour (getting users to confirm this disconnect time has been difficult).

My first question is, when the "Login Time Duration" counter resets to 0d:0h:0m would that cause a brief loss of connectivity ?

Second problem is whilst i've been troubleshooting I have changed so many settings (group policies, cryptos, NAT etc) the "Login Time Duration" resets at every one minute so I believe I have made the problem worse although I haven't had user testing yet (I'm hoping to resolve before I do).

I have attached my ASA configuration and changed the personal information such as WAN addresses and usernames.

If anybody can see an issue in my configuration, your advise would be much appreciated.

Rahul Govindan · ‎04-09-2018

Your IPsec Phase 2 lifetime is 3600 seconds (1 hour). Ideally, both peers should re-negotiate a new Security Association (SA) and keys before this 1 hour time comes about. If it does not do this for some reason, the ASA tears down the Phase 2 tunnels and builds one up again - provided there is traffic to the Azure cloud. If it has to tear and rebuild the tunnel, there might be a brief interruption in the traffic, depending on the sensitivity of the application. You can change this value to a larger number by changing the setting:

crypto ipsec security-association lifetime seconds <seconds>

Now another setting that you have is the kilobyte lifetime setting. This setting expires the tunnel after a certain amount of data flows through it. When it comes to third party peers, I have seen that this does not work as well as expected. Furthermore, I have not seen this as a feature that customers use a lot. This might not be the setting causing the failure in your case, but you can disable this setting using the command:

crypto ipsec security-association lifetime disable

You would have to remove this setting on Azure as well.

tomas roberton · ‎04-18-2018

Hi Rahul,

Thanks you for your reply. before i proceed with this I have managed to take a snapshot of the syslog at the exact time the application has been disconnecting. Please see attached log and advise further if you can.

Also one thing to note is that on the Azure gateway side we can't actually change the lifetime for timeouts.

If you could take a loot at the attached log and advise further it would be greatly appreciated.

Thank you,

Tom

GioGonza · ‎04-18-2018

Hello @tomas roberton,

Checking the Log, there is no clear information on why the VPN tunnel it is failing, the only thing you can see is the following Log:

2018-04-17 15:04:13 Local4.Debug 62.437.272.934 %ASA-7-713236: IP = 52.829.383.278, IKE_DECODE RECEIVED Message (msgid=76ce04a4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Your ASA is receiving the DELETE packet but the reasons are not clear, for that reasno you need to check the logs on the remote side if there is any of them.

HTH

Gio