4

I have an ASA IPSec tunnel configured between an ASA5505 and Microsoft TMG 2010 SP2.

The tunnel sometimes works for a few hours, and then disconnects, and other times it works for 5 minutes and then disconnects.

When it disconnects, it sometimes takes 10 minutes to re-establish the SA, sometimes takes 45 minutes to re-establish the SA.

I have a suspicion one side of the tunnel is re-keying the connection and the other isn't, but I don't really know how to troubleshoot this. Troubleshooting from the ASA end is substantially easier than troubleshooting from the TMG end due to the obtuse nature of getting this information out of TMG; although I suspect that the TMG is where the problem lies.

Where can I go in the ASA to determine why the IPSec tunnels are dropping?

Mark Henderson
  • 69,480

2 Answers2

1

Even though both sides of the tunnel had volume-based rekeying disabled, one of the sides was attempting to re-key anyway (I'm not sure which; I suspect the TMG). So after weeks of troubleshooting, I set a rekey after 4GB on both sides of the link and it has been rock solid ever since.

The time-based rekey is 1 hour; and it's highly unlikely that 4GB of traffic will flow over that link in an hour, so it's been stable ever since.

Mark Henderson
  • 69,480
0

Are you using any routing protocols through the tunnel? If so, double check that you aren't getting a route to the remote endpoint address through the tunnel. e.g. If you have a tunnel between 1.2.3.4 and 2.3.4.5, make sure that you have a static route on 1.2.3.4 to 2.3.4.5 that goes via the appropriate next hop address.

The symptoms you are seeing are similar to what I've seen when I've made this error, because the tunnel goes up and down constantly. First it establishes the tunnel, then it establishes the routing neighbourship, then it exchanges routes, and often the remote endpoint's connected routes are sent through. So then the route to the remote endpoint is through the tunnel, which times out, and then the neighbourship fails, which means the routes are removed, and the tunnel can come up again. This cycle repeats endlessly until you add the appropriate static route.

Paul Gear
  • 4,686