Tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Tunnel

L4 Transporter

I have a vpn tunnel that works fine most of the time and then is just goes down for no reason any suggestion

30 REPLIES 30

Correct the other tunnels I have are also connectingfrom PA to ASA 5505 and using main mode. I have not used aggressive mode for the reason you just stated. It appears to be a very regular pattern of going off in the afternoon and back on the next day.

What do the PA logs show during this time. Can you tell from the logs who is disconnecting or dropping the tunnel?

I have been trying to search for the time when it actually dropped but I havent; found it yet. Is there a way on the PA to determine who dropped the traffic?

Under system logs, search using the filter "( subtype eq vpn )". I'm not sure what event you would be searching for but this should be a good start. Using this filter and searching during the time it goes down should help you find what you are looking for. Good luck!

I think this is when it is succeeding

and ( description contains 'IKE phase-2 negotiation is succeeded as responder, quick mode. Established SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x1D8ADE40, SPI:0xB1874737/0xCB7EC37F.' )

tunnel just went down and now I am seeing this

tunnel  Parkway_IPSec_Tunnel5:DR_Network
        id:                     139
        type:                   IPSec
        gateway id:             5
        local ip:               66.94.196.107
        peer ip:                66.94.196.108
        inner interface:        tunnel.5
        outer interface:        ethernet1/3
        state:                  inactive
        session:                0
        tunnel mtu:             1428
        lifetime remain:        N/A
        monitor:                off
        monitor packets seen:   0
        monitor packets reply:  0
        en/decap context:       100
        local spi:              B1874737
        remote spi:             CB7EC37F
        key type:               auto key
        protocol:               ESP
        auth algorithm:         NOT ESTABLISHED
        enc  algorithm:         NOT ESTABLISHED
        proxy-id local ip:      10.135.100.0/24
        proxy-id remote ip:     10.135.11.0/25
        proxy-id protocol:      0
        proxy-id local port:    0
        proxy-id remote port:   0
        anti replay check:      yes
        copy tos:               no
        authentication errors:  0
        decryption errors:      0
        inner packet warnings:  0
        replay packets:         0
        packets received
          when lifetime expired:0
          when lifesize expired:0
        sending sequence:       695231
        receive sequence:       653559
        encap packets:          6467473
        decap packets:          6128324
        encap bytes:            1022177560
        decap bytes:            4230706844
        key acquire requests:   50899

Make sure that the Tunnel MTU has been set correctly on both the sides.

MTU where do you set that on PA and Cisco?

MTU can be adjust on the interface:

MTU.JPG

Thanks

If I change that won't that affect all my tunnels and that could break my other tunnels

As per my understanding, that might effect other tunnel also. Because, all tunnels are terminated on the same physical interface.

Thanks

It dropped the tunnel at 2:16pm and I think this might be why

protocol:               ESP

auth algorithm:         NOT ESTABLISHED

algorithm:              NOT ESTABLISHED

This MTU setting is set to adjust TCP MSS

I think if the problem was with MTU you would see a consistent problem with your VPN tunnel, like dropped packets. If you ping across the tunnel it would be very evident if you had an MTU issue due to the packet loss. The problem sounds like the tunnel just disconnects and doesn't come back up on a consistent basis. Also, just an FYI, you can just adjust the MTU on the tunnel interface and not for the whole physical interface. Have you opened a ticket with support? They may need to dig into this issue in more detail than can be discussed in a forum to discover the underlying issue. One side is dropping the tunnel. If I had to guess it's the ASA side. Have you tried clearing out the tunnel on the ASA and rebuilding it?

Yea I am begining to think the ASA is dropping the tunnel looks like its loosing its SA's

This is when it is working

id 139

tunnel
Parkway_IPSec_Tunnel5:DR_Network

      
id:                   
139

      
type: 

        gateway
id:             5

      
local
ip:            
66.94.196.107

      
peer
ip:              
66.94.196.108

      
inner interface:        tunnel.5

      
outer interface:        ethernet1/3

      
state:                
active

      
session:              
184664

      
tunnel
mtu:           
1428

      
lifetime remain:        20799 sec

      
latest rekey:           8001
seconds ago

      
monitor:              
off

      
monitor packets seen:   0

      
monitor packets reply:  0

      
en/decap context:       100

      
local spi:
            B1874737

      
remote
spi:           
CB7EC37F

      
key
type:             
auto key

      
protocol:             
ESP

      
auth algorithm:         SHA1

      
enc  algorithm:         AES256

      
proxy-id local ip:      10.135.100.0/24

      
proxy-id remote ip:     10.135.11.0/25

      
proxy-id protocol:      0

      
proxy-id local port:    0

      
proxy-id remote port:   0

      
anti replay check:      yes

      
copy
tos:             
no

      
authentication errors:  0

      
decryption errors:      0

      
inner packet warnings:  0

      
replay packets:         0

      
packets received

        
when lifetime expired:0

        
when lifesize expired:0

      
sending sequence:       212815

      
receive sequence:       200841

      
encap packets:          5985057

      
decap packets:          5675607

      
encap bytes:          
945320904

      
decap bytes:          
3924486196

      
key acquire requests:   50803

This is when it’s not appears to lose it SA’s

Tunnel down

tunnel
Parkway_IPSec_Tunnel5:DR_Network

      
id:                   
139

      
type:                 
IPSec

      
gateway
id:             5

      
local ip:             
66.94.196.107

      
peer
ip:              
66.94.196.108

      
inner interface:        tunnel.5

      
outer interface:        ethernet1/3

      
state:                
inactive

      
session:              
0

      
tunnel
mtu:           
1428

      
lifetime remain:        N/A

      
monitor:              
off

      
monitor packets seen:   0

      
monitor packets reply:  0

      
en/decap context:       100

      
local
spi:            
B1874737

      
remote
spi:           
CB7EC37F

      
key
type:             
auto key

      
protocol:             
ESP

 
     auth
algorithm:         NOT ESTABLISHED

      
enc  algorithm:         NOT
ESTABLISHED

      
proxy-id local ip:      10.135.100.0/24

      
proxy-id remote ip:     10.135.11.0/25

      
proxy-id protocol:      0

      
proxy-id local port:    0

      
proxy-id remote port:   0

      
anti replay check:      yes

      
copy
tos:             
no

      
authentication errors:  0

      
decryption errors:      0

      
inner packet warnings:  0

      
replay packets:         0

      
packets received

        
when lifetime expired:0

        
when lifesize expired:0

      
sending sequence:       695231

      
receive sequence:       653559

      
encap packets:          6467473

      
decap packets:          6128324

      
encap bytes:          
1022177560

      
decap bytes:          
4230706844

      
key acquire requests:   50899

  • 11718 Views
  • 30 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!