4

I have an ASA IPSec tunnel configured between an ASA5505 and Microsoft TMG 2010 SP2.

The tunnel sometimes works for a few hours, and then disconnects, and other times it works for 5 minutes and then disconnects.

When it disconnects, it sometimes takes 10 minutes to re-establish the SA, sometimes takes 45 minutes to re-establish the SA.

I have a suspicion one side of the tunnel is re-keying the connection and the other isn't, but I don't really know how to troubleshoot this. Troubleshooting from the ASA end is substantially easier than troubleshooting from the TMG end due to the obtuse nature of getting this information out of TMG; although I suspect that the TMG is where the problem lies.

Where can I go in the ASA to determine why the IPSec tunnels are dropping?

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • Is there constant traffic through the tunnel, or is it intermittent? – Shane Madden Dec 15 '13 at 23:27
  • debug crypto ipsec and isakmp on ASA? – xeon Dec 15 '13 at 23:29
  • @ShaneMadden - traffic should be reasonably constant. Not heavy, but a sustained traffic of maybe 128kbps or so – Mark Henderson Dec 15 '13 at 23:30
  • @xeon - dumb question (I'm pretty much an ASA noob): I have run those two commands; now what? – Mark Henderson Dec 15 '13 at 23:33
  • logging enable, logging console 7, terminal monitor should give you messages to console. I dont have an ASA in front of me to confirm commands and depends on your ASA OS version. You will get a lot of information, if you are using putty or something extend how many lines before it clears. – xeon Dec 15 '13 at 23:38
  • Interesting. The ASA is saying that the tunnels are still up, but there is no traffic flowing over them. I think I might have a different question that I will ask separately if I can't figure it out. – Mark Henderson Dec 15 '13 at 23:44
  • Are you sure your subnets and other information matches on each end? – Keith Stokes Dec 15 '13 at 23:47
  • Also check your routes – xeon Dec 15 '13 at 23:48
  • @KeithStokes - 99% sure. I have deleted the config from both ends and re-created it multiple times. I'm new to IPSec tunnels on ASA's rather than flooding the community with noob questions I'll soldier on and see what I can find with this new info. – Mark Henderson Dec 15 '13 at 23:51
  • Or I will succumb and open a case with TAC... – Mark Henderson Dec 15 '13 at 23:52

2 Answers2

1

Even though both sides of the tunnel had volume-based rekeying disabled, one of the sides was attempting to re-key anyway (I'm not sure which; I suspect the TMG). So after weeks of troubleshooting, I set a rekey after 4GB on both sides of the link and it has been rock solid ever since.

The time-based rekey is 1 hour; and it's highly unlikely that 4GB of traffic will flow over that link in an hour, so it's been stable ever since.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
0

Are you using any routing protocols through the tunnel? If so, double check that you aren't getting a route to the remote endpoint address through the tunnel. e.g. If you have a tunnel between 1.2.3.4 and 2.3.4.5, make sure that you have a static route on 1.2.3.4 to 2.3.4.5 that goes via the appropriate next hop address.

The symptoms you are seeing are similar to what I've seen when I've made this error, because the tunnel goes up and down constantly. First it establishes the tunnel, then it establishes the routing neighbourship, then it exchanges routes, and often the remote endpoint's connected routes are sent through. So then the route to the remote endpoint is through the tunnel, which times out, and then the neighbourship fails, which means the routes are removed, and the tunnel can come up again. This cycle repeats endlessly until you add the appropriate static route.

Paul Gear
  • 3,938
  • 15
  • 36