Solved: Re: VPN Tunnel dropping overnight

Rex Biesty · ‎09-23-2008

Hi, we have an issue where a site-to-site VPN had dropped between a satellite office (Cisco 1801 running IOS 12.4(15)T6) and our data centre (Pix 515e running 7.2(2)). This has happened twice since the 1801 was deployed 3 weeks ago, both overnight. Rebooting the 1801 has remedied the issue.

Just to complicate matters, the remote site also needs to talk to another satellite site that is connected to our data centre via an MPLS network. This works fine provided the traffic is initiated from the remote office, however, there have been occasions where this has stopped working also (but remote site can still see the data centre network).

The remote site was deployed just before going on holiday and I've just returned to find out about these issues second hand (thus no diagnostic/troubleshooting done so far, everything is currently working fine). I'm waiting for it to go wrong again before I can analyse further but any help in the meantime would be much appreciated.

Thanks, Rex

dbakula01 · ‎11-10-2008

if that is not it i have done this on both sides of the vpn, hardcode the following commands on both the side, the asa and vpn client

crypto ipsec security-association lifetime kilobytes 5000000

crypto ipsec security-association lifetime seconds 7200

both commands are the the same on both platforms.

View solution in original post

Richard Burts · ‎09-23-2008

Rex

With nothing more than what you have described so far, my first guess would be that the IPSec lifetime expired and there was not interesting traffic to renegotiate new SAs. Can you tell us what kind of traffic is carried over the link (especially what kind of traffic would be present during the night)?

I wonder if there is a way to restart things without rebooting the 1801 (and I imagine you will figure this out the next time that the problem happens)?

HTH

Rick

HTH

Rick

Rex Biesty · ‎09-24-2008

Hi Rick, thanks for the reply

After discussing further with the engineer involved and the customer it appears that the problem occured (no access to VPN LANs) at 10am, after they had been happily working for 1 hour. The router was reboot (done remotely via SDM) and this brought back VPN connectivity to one of our VPN LANs (the one directly connected to the other end of the VPN tunnel). However, the other VPN LAN (connected to previously mentioned LAN via an MPLS network) was not contactable initially and only started working some hours later, with no intervention from ourselves.

To answer your question regarding traffic, user at the remote site access resources (Domino server for email and a Linux based asset management server) on the LAN located at the other end of the MPLS. At the moment they dont access resources on the LAN directly connected to the other end of the VPN.

Alas we can't extend the MPLS to incorporate the remote site as it's in a different country, thus the reason we're trying to implement the site-VPN.

Any further help/advice would be greatly appreciated.

singhsaju · ‎09-24-2008

Hi Rex,

If this Ipsec VPN tunnel can you check the ISAKMP SA lifetime (Phase 1)and IPSEC SA lifetime (Phase 2)?

IPsec SAs are built inside ISAKMP SA. so lifetime of ISAKMP SA should be greater than IPSEC SAs lifetime.If it is not then tunnel often drops .

Usually the ISAKMP SA lifetime is 86400 seconds and IPSEC SA is 3600 seconds.

HTH

Saju

Pls rate helpful posts

Rex Biesty · ‎09-26-2008

Hi Saju, thanks for the helpful advice.

Indeed the ISAKMP and IPSEC SA were both set to 24 hours. I changed the IPSEC SA to 24 hours after the problem initially occured to prevent the tunnel from dropping overnight. Although I have had no problems since this change I am changing the IPSEC SA to 23 hours. I'm waiting till after the weekend before deciding if the issue has been resolved so I can see if the tunnel drops through inactivity. I'll keep you informed. Thanks again for your help.

Rex Biesty · ‎10-09-2008

Hi.

Sorry for late reply but just had another instance of this. This time someone accidentally unplugged the adsl line, plugged it back in again and could access internet but not the vpn. I accessed the 1801 remotely via SDM and saw that the tunnel was showing as still up (but couldn't ping anything over the tunnel). I cleared the connection and the tunnel automatically reconnected, enabling users to access remote resources again.

I'm not sure what's happening here. Any help would be appreciated.

dbakula01 · ‎11-09-2008

did you try enabling isakmp keepalives on the remote sites side?

Rex Biesty · ‎11-10-2008

Thanks for the reply. That might just be the solution. I have enabled it on the remote and peer sides for that tunnel and should hopefully test later this week.

dbakula01 · ‎11-10-2008

if that is not it i have done this on both sides of the vpn, hardcode the following commands on both the side, the asa and vpn client

crypto ipsec security-association lifetime kilobytes 5000000

crypto ipsec security-association lifetime seconds 7200

both commands are the the same on both platforms.