IPSec tunnel on ASA keeps disconnecting

cisco-asaipsecmicrosoft-ftmg-2010

I have an ASA IPSec tunnel configured between an ASA5505 and Microsoft TMG 2010 SP2.

The tunnel sometimes works for a few hours, and then disconnects, and other times it works for 5 minutes and then disconnects.

When it disconnects, it sometimes takes 10 minutes to re-establish the SA, sometimes takes 45 minutes to re-establish the SA.

I have a suspicion one side of the tunnel is re-keying the connection and the other isn't, but I don't really know how to troubleshoot this. Troubleshooting from the ASA end is substantially easier than troubleshooting from the TMG end due to the obtuse nature of getting this information out of TMG; although I suspect that the TMG is where the problem lies.

Where can I go in the ASA to determine why the IPSec tunnels are dropping?

Best Answer

Even though both sides of the tunnel had volume-based rekeying disabled, one of the sides was attempting to re-key anyway (I'm not sure which; I suspect the TMG). So after weeks of troubleshooting, I set a rekey after 4GB on both sides of the link and it has been rock solid ever since.

The time-based rekey is 1 hour; and it's highly unlikely that 4GB of traffic will flow over that link in an hour, so it's been stable ever since.

Related Solutions

Cisco PIX 515e dropping IPSEC tunnels to ASA 5505 over time

1) You absolutely can monitor the number of IPSec tunnels, but we’ve found that not to be a truly reliable way of determining if connectivity is working. It’s always best to send and receive traffic via the tunnel to confirm connectivity (e.g. ping monitor).

2) Same as #1 – it can be done, but may not give you usable information. Tunnels will start and stop in the normal course of operation depending on timeout intervals.

3) While it’s not supposed to be necessary, we have seen improvement with tunnel connectivity in some situations by running a ping at frequent intervals (3-5 minutes). Hard to say whether that would help in this situation without in-depth analysis.

Generally speaking, issues like this occur frequently due to VPN config mismatches between the head end and remote end VPN peers. Differing ACLs are often a problem.

Cisco – pfSense to ASA L2L VPN – infrequent, short-lasting, but consistent disconnections

I had a problem that exhibited behavior almost identical to yours. I was trying to run off-site backups with Veeam over the VPN. The job would run fine for somewhere between 2-6 hours usually, but at some point it would fail. Veeam support reviewed the logs and indicated it was related to a poor quality network connection. I looked at the Cisco ASA firewall and it showed errors:

show int eth 0/0 | inc error

The ASA outside interface was configured to auto negotiate speed and duplex, and was running at 100 Mbit half-duplex. I manually set the interface to 100 Mbit full-duplex, and have not had a problem with the off-site backup job since.

Here are the settings I'm using on pfSense 2.0.1. Note that a number of these were not default settings, and I had to verify that the Cisco ASA settings matched (especially lifetimes).

Phase 1:

Authentication method: Mutual PSK
Negotiation mode: aggressive
My identifier: KeyID tag, DefaultL2LGroup
Peer identifier: Peer IP address
Policy Generation: Unique
Proposal Checking: Obey
Encryption algorithm: 3DES
Hash algorithm: MD5
DH key group: 2
Lifetime: 86400
NAT Traversal: Enable
Dead Peer Detection: disabled

Phase 2:

Mode: Tunnel
Protocol: ESP
Encryption: 3DES
Hash: MD5
PFS key group: off
Lifetime: 28800

Best Answer

Related Solutions

Cisco PIX 515e dropping IPSEC tunnels to ASA 5505 over time

Cisco – pfSense to ASA L2L VPN – infrequent, short-lasting, but consistent disconnections

Related Topic