Cisco ASA Site-to-Site VPN Dropping
I think it might be the keepalive being disabled, if there is not traffic or traffic it routing another way it may be causing the tunnel to drop do to inactivity. Try dropping the tunnel (clear isakmp sa $PEERIP) on the destination then running debug on the source and see if it is trying to re-establish the connection. http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#crypto_isakmp
Related videos on Youtube
ScottAdair
Updated on September 18, 2022Comments
-
ScottAdair over 1 year
I have three sites, Toronto (1.1.1.1), Mississauga (2.2.2.2) and San Francisco (3.3.3.3). All three sites have ASA 5520. All the sites are connected together with two site-to-site VPN links between each other location.
My issue is that the tunnel between Toronto and San Francisco is very unstable, dropping every 40 min to 60 mins. The tunnel between Toronto and Mississauga (which is configured in the same manner) is fine with no drops.
I also noticed that my pings with drop but the ASA thinks that the tunnel is still up and running.
Here is the configuration of the tunnel.
Toronto (1.1.1.1)
crypto map Outside_map 1 match address Outside_cryptomap crypto map Outside_map 1 set peer 3.3.3.3 crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 group-policy GroupPolicy_3.3.3.3 internal group-policy GroupPolicy_3.3.3.3 attributes vpn-idle-timeout none vpn-tunnel-protocol ikev1 ikev2 tunnel-group 3.3.3.3 type ipsec-l2l tunnel-group 3.3.3.3 general-attributes default-group-policy GroupPolicy_3.3.3.3 tunnel-group 3.3.3.3 ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive disable ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****
San Francisco (3.3.3.3)
crypto map Outside_map0 2 match address Outside_cryptomap_1 crypto map Outside_map0 2 set peer 1.1.1.1 crypto map Outside_map0 2 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA crypto map Outside_map0 2 set ikev2 ipsec-proposal AES256 group-policy GroupPolicy_1.1.1.1 internal group-policy GroupPolicy_1.1.1.1 attributes vpn-idle-timeout none vpn-tunnel-protocol ikev1 ikev2 tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 general-attributes default-group-policy GroupPolicy_1.1.1.1 tunnel-group 1.1.1.1 ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive disable ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****
I'm at a loss. Any ideas?
Update:
# show crypto isakmp sa IKEv1 SAs: Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2 1 IKE Peer: 3.3.3.3 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE 2 IKE Peer: 2.2.2.2 Type : L2L Role : responder Rekey : no State : MM_ACTIVE There are no IKEv2 SAs # show crypto ipsec sa interface: Outside Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1 access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.99.0.0 255.255.255.0 local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.99.0.0/255.255.255.0/0/0) current_peer: 74.200.4.148 #pkts encaps: 30948, #pkts encrypt: 30948, #pkts digest: 30948 #pkts decaps: 28516, #pkts decrypt: 28516, #pkts verify: 28516 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 30948, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: EFADD3D6 current inbound spi : 756AB014 inbound esp sas: spi: 0x756AB014 (1969926164) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (4372005/17024) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xEFADD3D6 (4021146582) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (4369303/17024) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1 access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0 local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0) current_peer: 2.2.2.2 #pkts encaps: 18777146, #pkts encrypt: 18777329, #pkts digest: 18777329 #pkts decaps: 23208489, #pkts decrypt: 23208489, #pkts verify: 23208489 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 18777328, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 1, #pre-frag failures: 0, #fragments created: 2 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: D2002A5B current inbound spi : 2E1F7B20 inbound esp sas: spi: 0x2E1F7B20 (773815072) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (3224936/17000) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xD2002A5B (3523226203) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (2120164/17000) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1 access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.110.0.0 255.255.0.0 local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.110.0.0/255.255.0.0/0/0) current_peer: 2.2.2.2 #pkts encaps: 1289226, #pkts encrypt: 1289226, #pkts digest: 1289226 #pkts decaps: 1594987, #pkts decrypt: 1594987, #pkts verify: 1594987 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 1289226, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 27 #send errors: 0, #recv errors: 0 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 45B5CECD current inbound spi : 862EB1DB inbound esp sas: spi: 0x862EB1DB (2251207131) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (4318958/16999) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x45B5CECD (1169542861) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (4360717/16999) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: External_map, seq num: 1, local addr: 1.1.1.1 access-list Outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.10.0.0 255.255.0.0 local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0) current_peer: 3.3.3.3 #pkts encaps: 3444336, #pkts encrypt: 3444336, #pkts digest: 3444336 #pkts decaps: 1756137, #pkts decrypt: 1756137, #pkts verify: 1756137 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 3444336, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 3.3.3.3/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 6B0981E6 current inbound spi : 2F85EB3C inbound esp sas: spi: 0x2F85EB3C (797305660) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1245184, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (3944948/12647) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x6B0981E6 (1795785190) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1245184, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (364451/12647) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
-
Admin almost 12 yearsDo you lose pings over the public internet?
-
Admin almost 12 yearsNope, public is fine from both locations.
-
Admin almost 12 yearsWhat's the output from
show crypto isakmp sa
andshow crypto ipsec sa
look like when the issue is occurring? I'm guessing you're clearing the SAs to fix it, correct? Any particular reason you've disabled dead peer detection? And last but not least: what code version are these on? -
Admin almost 12 yearsAll systems are running 8.4(2) and ASDM 6.4(5). Command outputs are above. Tunnel says that it is up, but no traffic is getting through. No particular reason for disabling dead peer, was just trying things this afternoon.
-
Admin almost 12 yearsInteresting, the ASA in SF thinks the tunnel is down, but the ASA in TO thinks it is up..
-
Admin almost 9 yearsCould it be related to this issue: networkengineering.stackexchange.com/q/2155 ? From your output, it seems that lifetime is fine, but maybe it is ASA on the other end of tunnel...
-