04-05-2018 03:17 PM - edited 03-12-2019 05:10 AM
Hi Guys,
I'm having some trouble with users losing RDP access to a remote server throughout the day. The device is an ASA 5506 running ASA 9.5 (1). The RDP server is hosted in Microsoft Azure and is being accessed through a VPN tunnel.
The page on ASDM Monitoring > VPN > VPN Statistics Sessions page was showing the site to site VPN "Login Time Duration" to always be approximately an hour so it seemed to be disconnecting each hour (getting users to confirm this disconnect time has been difficult).
My first question is, when the "Login Time Duration" counter resets to 0d:0h:0m would that cause a brief loss of connectivity ?
Second problem is whilst i've been troubleshooting I have changed so many settings (group policies, cryptos, NAT etc) the "Login Time Duration" resets at every one minute so I believe I have made the problem worse although I haven't had user testing yet (I'm hoping to resolve before I do).
I have attached my ASA configuration and changed the personal information such as WAN addresses and usernames.
If anybody can see an issue in my configuration, your advise would be much appreciated.
04-09-2018 05:56 PM
Your IPsec Phase 2 lifetime is 3600 seconds (1 hour). Ideally, both peers should re-negotiate a new Security Association (SA) and keys before this 1 hour time comes about. If it does not do this for some reason, the ASA tears down the Phase 2 tunnels and builds one up again - provided there is traffic to the Azure cloud. If it has to tear and rebuild the tunnel, there might be a brief interruption in the traffic, depending on the sensitivity of the application. You can change this value to a larger number by changing the setting:
crypto ipsec security-association lifetime seconds <seconds>
Now another setting that you have is the kilobyte lifetime setting. This setting expires the tunnel after a certain amount of data flows through it. When it comes to third party peers, I have seen that this does not work as well as expected. Furthermore, I have not seen this as a feature that customers use a lot. This might not be the setting causing the failure in your case, but you can disable this setting using the command:
crypto ipsec security-association lifetime disable
You would have to remove this setting on Azure as well.
04-18-2018 04:49 AM
Hi Rahul,
Thanks you for your reply. before i proceed with this I have managed to take a snapshot of the syslog at the exact time the application has been disconnecting. Please see attached log and advise further if you can.
Also one thing to note is that on the Azure gateway side we can't actually change the lifetime for timeouts.
If you could take a loot at the attached log and advise further it would be greatly appreciated.
Thank you,
Tom
04-18-2018 01:21 PM
Hello @tomas roberton,
Checking the Log, there is no clear information on why the VPN tunnel it is failing, the only thing you can see is the following Log:
2018-04-17 15:04:13 Local4.Debug 62.437.272.934 %ASA-7-713236: IP = 52.829.383.278, IKE_DECODE RECEIVED Message (msgid=76ce04a4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Your ASA is receiving the DELETE packet but the reasons are not clear, for that reasno you need to check the logs on the remote side if there is any of them.
HTH
Gio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide