06-20-2014 08:05 AM
Correct the other tunnels I have are also connectingfrom PA to ASA 5505 and using main mode. I have not used aggressive mode for the reason you just stated. It appears to be a very regular pattern of going off in the afternoon and back on the next day.
06-20-2014 08:10 AM
What do the PA logs show during this time. Can you tell from the logs who is disconnecting or dropping the tunnel?
06-20-2014 08:15 AM
I have been trying to search for the time when it actually dropped but I havent; found it yet. Is there a way on the PA to determine who dropped the traffic?
06-20-2014 08:41 AM
Under system logs, search using the filter "( subtype eq vpn )". I'm not sure what event you would be searching for but this should be a good start. Using this filter and searching during the time it goes down should help you find what you are looking for. Good luck!
06-20-2014 09:02 AM
I think this is when it is succeeding
and ( description contains 'IKE phase-2 negotiation is succeeded as responder, quick mode. Established SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x1D8ADE40, SPI:0xB1874737/0xCB7EC37F.' )
06-20-2014 12:26 PM
tunnel just went down and now I am seeing this
tunnel Parkway_IPSec_Tunnel5:DR_Network
id: 139
type: IPSec
gateway id: 5
local ip: 66.94.196.107
peer ip: 66.94.196.108
inner interface: tunnel.5
outer interface: ethernet1/3
state: inactive
session: 0
tunnel mtu: 1428
lifetime remain: N/A
monitor: off
monitor packets seen: 0
monitor packets reply: 0
en/decap context: 100
local spi: B1874737
remote spi: CB7EC37F
key type: auto key
protocol: ESP
auth algorithm: NOT ESTABLISHED
enc algorithm: NOT ESTABLISHED
proxy-id local ip: 10.135.100.0/24
proxy-id remote ip: 10.135.11.0/25
proxy-id protocol: 0
proxy-id local port: 0
proxy-id remote port: 0
anti replay check: yes
copy tos: no
authentication errors: 0
decryption errors: 0
inner packet warnings: 0
replay packets: 0
packets received
when lifetime expired:0
when lifesize expired:0
sending sequence: 695231
receive sequence: 653559
encap packets: 6467473
decap packets: 6128324
encap bytes: 1022177560
decap bytes: 4230706844
key acquire requests: 50899
06-20-2014 12:32 PM
Make sure that the Tunnel MTU has been set correctly on both the sides.
06-20-2014 12:34 PM
MTU where do you set that on PA and Cisco?
06-20-2014 12:52 PM
MTU can be adjust on the interface:
Thanks
06-20-2014 12:53 PM
If I change that won't that affect all my tunnels and that could break my other tunnels
06-20-2014 12:57 PM
As per my understanding, that might effect other tunnel also. Because, all tunnels are terminated on the same physical interface.
Thanks
06-20-2014 01:00 PM
It dropped the tunnel at 2:16pm and I think this might be why
protocol: ESP
auth algorithm: NOT ESTABLISHED
algorithm: NOT ESTABLISHED
06-20-2014 01:09 PM
This MTU setting is set to adjust TCP MSS
06-20-2014 01:38 PM
I think if the problem was with MTU you would see a consistent problem with your VPN tunnel, like dropped packets. If you ping across the tunnel it would be very evident if you had an MTU issue due to the packet loss. The problem sounds like the tunnel just disconnects and doesn't come back up on a consistent basis. Also, just an FYI, you can just adjust the MTU on the tunnel interface and not for the whole physical interface. Have you opened a ticket with support? They may need to dig into this issue in more detail than can be discussed in a forum to discover the underlying issue. One side is dropping the tunnel. If I had to guess it's the ASA side. Have you tried clearing out the tunnel on the ASA and rebuilding it?
06-20-2014 01:44 PM
Yea I am begining to think the ASA is dropping the tunnel looks like its loosing its SA's
This is when it is working
id 139
tunnel
Parkway_IPSec_Tunnel5:DR_Network
id:
139
type:
gateway
id: 5
local
ip:
66.94.196.107
peer
ip:
66.94.196.108
inner interface: tunnel.5
outer interface: ethernet1/3
state:
active
session:
184664
tunnel
mtu:
1428
lifetime remain: 20799 sec
latest rekey: 8001
seconds ago
monitor:
off
monitor packets seen: 0
monitor packets reply: 0
en/decap context: 100
local spi:
B1874737
remote
spi:
CB7EC37F
key
type:
auto key
protocol:
ESP
auth algorithm: SHA1
enc algorithm: AES256
proxy-id local ip: 10.135.100.0/24
proxy-id remote ip: 10.135.11.0/25
proxy-id protocol: 0
proxy-id local port: 0
proxy-id remote port: 0
anti replay check: yes
copy
tos:
no
authentication errors: 0
decryption errors: 0
inner packet warnings: 0
replay packets: 0
packets received
when lifetime expired:0
when lifesize expired:0
sending sequence: 212815
receive sequence: 200841
encap packets: 5985057
decap packets: 5675607
encap bytes:
945320904
decap bytes:
3924486196
key acquire requests: 50803
This is when it’s not appears to lose it SA’s
Tunnel down
tunnel
Parkway_IPSec_Tunnel5:DR_Network
id:
139
type:
IPSec
gateway
id: 5
local ip:
66.94.196.107
peer
ip:
66.94.196.108
inner interface: tunnel.5
outer interface: ethernet1/3
state:
inactive
session:
0
tunnel
mtu:
1428
lifetime remain: N/A
monitor:
off
monitor packets seen: 0
monitor packets reply: 0
en/decap context: 100
local
spi:
B1874737
remote
spi:
CB7EC37F
key
type:
auto key
protocol:
ESP
auth
algorithm: NOT ESTABLISHED
enc algorithm: NOT
ESTABLISHED
proxy-id local ip: 10.135.100.0/24
proxy-id remote ip: 10.135.11.0/25
proxy-id protocol: 0
proxy-id local port: 0
proxy-id remote port: 0
anti replay check: yes
copy
tos:
no
authentication errors: 0
decryption errors: 0
inner packet warnings: 0
replay packets: 0
packets received
when lifetime expired:0
when lifesize expired:0
sending sequence: 695231
receive sequence: 653559
encap packets: 6467473
decap packets: 6128324
encap bytes:
1022177560
decap bytes:
4230706844
key acquire requests: 50899
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
