Vpn – Site-to-Site VPN Tunnel Up Not Passing Traffic

I have a site-to-site VPN that seems to be dropping traffic from a particular subnet when a lot of data is being pushed through the tunnel. I have to run clear ipsec sa to get it going again.

I notice the following when running show crypto ipsec sa. The SA timing remaining key lifetime reaches 0 for kB. When this happens the tunnel doesn't pass traffic. I don't understand why it doesn't rekey.

inbound esp sas:
      spi: 0x51BB8CAE (1371245742)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 65753088, crypto-map: OutsideCrypto_map
         sa timing: remaining key lifetime (kB/sec): (3796789/14690)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x91CA1D71 (2445942129)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 65753088, crypto-map: OutsideCrypto_map
         **sa timing: remaining key lifetime (kB/sec): (0/14678)**
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

UPDATE 7/1/2013

I am running ASA 8.6.1. Researching Cisco's site I was able to find Bug CSCtq57752. The details are

ASA: IPSec outbound SA data lifetime rekey fails Symptom:

IPSec outbound SA fails to rekey when data lifetime reaches zero kB.

Conditions:

ASA has an IPSec tunnel with a remote peer. The data lifetime on the
ASA reaches 0 kB, the lifetime in seconds has not yet expired.

Workaround:

Increase the data lifetime to a very high value (or even the maximum
value), or decrease the lifetime in seconds. The lifetime in seconds
should ideally expire before the data limit in kB reaches zero. In
this manner the rekey will be triggered based on seconds, and the data
lifetime issue can be bypassed.

The solution is to update to version 8.6.1(5). I'm going to try and schedule a maintenance window tonight and see if the problem is resolved.

Best Answer

The resolution to my problem is to upgrade my ASA image to 8.6.1(5).

This resolves bug CSCtq57752

The workaround to the bug is to lower the crypto map's timed lifetime and increase the crypto map's traffic volume threshold:

crypto map *YOUR-CRYPTO-MAP ID* set security-association lifetime seconds 3600
crypto map *YOUR-CRYPTO-MAP ID* set security-association lifetime kilobytes 2147483647

The above crypto map lowers the lifetime to 3600 seconds and increases the kilobytes threshold to the highest value. In my case, I just have to ensure the seconds lifetime is depleted before the kilobytes threshold.

UPDATE 7/1/2013

Best Answer

Related Solutions

Routing – VPN Tunnel Only Passing Traffic One Way – Adtran to Sonicwall

Vpn – Pre-fragmentation for IPsec VPNs on cisco routers

Related Topic