Wednesday, May 5, 2021

Cisco ASA VPN to AWS dropping every hour

I have a Cisco ASA with an IPSEC VPN to AWS. The VPN works and passes traffic but the problem is that it drops every hour for about 4 or 5 minutes. I have used the AWS generated config so all of my phase1/phase2 timers etc match. I wouldn't mind if it dropped for a few seconds but it drops for 4 or 5 minutes which makes it unusable.

Has anybody seen this behaviour before? I have done a debug but I can't see any obvious reasons as to why it's dropping from the debugs.

I have a single network to a single network (as AWS recommend)

Thanks

Below is a snippet from the logs from when it's down to when it comes back up again. There is a limit to how much I can post so can't post all the logs.:

May 05 09:15:06 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x2dcdeb4a)

May 05 09:15:06 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing blank hash payload

May 05 09:15:06 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing qm hash payload

May 05 09:15:06 [IKEv1]IP = 99.16.210.2, IKE_DECODE SENDING Message (msgid=557f54c8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

May 05 09:15:16 [IKEv1]IKE Receiver: Packet received on 221.16.20.114:500 from 99.16.210.2:500

May 05 09:15:16 [IKEv1]IP = 99.16.210.2, IKE_DECODE RECEIVED Message (msgid=523756c0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing hash payload

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing notify payload

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Received keep-alive of type DPD R-U-THERE (seq number 0x2dcdeb4b)

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x2dcdeb4b)

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing blank hash payload

May 05 09:15:16 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing qm hash payload

May 05 09:15:16 [IKEv1]IP = 99.16.210.2, IKE_DECODE SENDING Message (msgid=9143ab9f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

May 05 09:15:22 [IKEv1]Group = 99.16.210.2, IP = 99.16.210.2, IKE Initiator: Rekeying Phase 2, Intf Outside, IKE Peer 99.16.210.2 local Proxy Address 0.0.0.0, remote Proxy Address 10.22.0.0, Crypto map (outside_map)

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Oakley begin quick mode

May 05 09:15:22 [IKEv1 DECODE]Group = 99.16.210.2, IP = 99.16.210.2, IKE Initiator starting QM: msg id = cebea1a5

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Active unit starts Phase 2 rekey with remote peer 99.16.210.2.

IPSEC: New embryonic SA created @ 0x7fea3ec8,

SCB: 0x79DB3F20,

Direction: inbound

SPI : 0x1516D12F

Session ID: 0x003A7000

VPIF num : 0x00020002

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, IKE got SPI from key engine: SPI = 0x1516d12f

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, oakley constucting quick mode

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing blank hash payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing IPSec SA payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing IPSec nonce payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing pfs ke payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing proxy ID

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Transmitting Proxy Id:

Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0

Remote subnet: 10.22.0.0 Mask 255.255.255.0 Protocol 0 Port 0

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing qm hash payload

May 05 09:15:22 [IKEv1 DECODE]Group = 99.16.210.2, IP = 99.16.210.2, IKE Initiator sending 1st QM pkt: msg id = cebea1a5

May 05 09:15:22 [IKEv1]IP = 99.16.210.2, IKE_DECODE SENDING Message (msgid=cebea1a5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 308

May 05 09:15:22 [IKEv1]IKE Receiver: Packet received on 221.16.20.114:500 from 99.16.210.2:500

May 05 09:15:22 [IKEv1]IP = 99.16.210.2, IKE_DECODE RECEIVED Message (msgid=cebea1a5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 320

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing hash payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing SA payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing nonce payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing ke payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing ISA_KE for PFS in phase 2

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing ID payload

May 05 09:15:22 [IKEv1 DECODE]Group = 99.16.210.2, IP = 99.16.210.2, ID_IPV4_ADDR_SUBNET ID received--10.22.0.0--255.255.255.0

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, processing ID payload

May 05 09:15:22 [IKEv1 DECODE]Group = 99.16.210.2, IP = 99.16.210.2, ID_IPV4_ADDR_SUBNET ID received--10.22.0.0--255.255.255.0

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, loading all IPSEC SAs

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Generating Quick Mode Key!

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, NP encrypt rule look up for crypto map outside_map 10 matching ACL VPN-TRAFFIC-INTELYS-AWS: returned cs_id=777bcd40; encrypt_rule=7b3ffc98; tunnelFlow_rule=78106dc8

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Generating Quick Mode Key!

IPSEC: New embryonic SA created @ 0x777ed790,

SCB: 0x84A0D7D0,

Direction: outbound

SPI : 0xC187DB6A

Session ID: 0x003A7000

VPIF num : 0x00020002

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: Completed host OBSA update, SPI 0xC187DB6A

IPSEC: Completed outbound VPN context, SPI 0xC187DB6A

VPN handle: 0x0711bb3c

IPSEC: New outbound encrypt rule, SPI 0xC187DB6A

Src addr: 0.0.0.0

Src mask: 0.0.0.0

Dst addr: 10.22.0.0

Dst mask: 255.255.255.0

Src ports

Upper: 0

Lower: 0

Op : ignore

Dst ports

Upper: 0

Lower: 0

Op : ignore

Protocol: 0

Use protocol: false

SPI: 0x00000000

Use SPI: false

IPSEC: Completed outbound encrypt rule, SPI 0xC187DB6A

Rule ID: 0x7ae31e78

IPSEC: New outbound permit rule, SPI 0xC187DB6A

Src addr: 221.16.20.114

Src mask: 255.255.255.255

Dst addr: 99.16.210.2

Dst mask: 255.255.255.255

Src ports

Upper: 0

Lower: 0

Op : ignore

Dst ports

Upper: 0

Lower: 0

Op : ignore

Protocol: 50

Use protocol: true

SPI: 0xC187DB6A

Use SPI: true

IPSEC: Completed outbound permit rule, SPI 0xC187DB6A

Rule ID: 0x7d48e4d8

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, NP encrypt rule look up for crypto map outside_map 10 matching ACL VPN-TRAFFIC-INTELYS-AWS: returned cs_id=777bcd40; encrypt_rule=7b3ffc98; tunnelFlow_rule=78106dc8

May 05 09:15:22 [IKEv1]Group = 99.16.210.2, IP = 99.16.210.2, Security negotiation complete for LAN-to-LAN Group (99.16.210.2) Initiator, Inbound SPI = 0x1516d12f, Outbound SPI = 0xc187db6a

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, oakley constructing final quick mode

May 05 09:15:22 [IKEv1 DECODE]Group = 99.16.210.2, IP = 99.16.210.2, IKE Initiator sending 3rd QM pkt: msg id = cebea1a5

May 05 09:15:22 [IKEv1]IP = 99.16.210.2, IKE_DECODE SENDING Message (msgid=cebea1a5) with payloads : HDR + HASH (8) + NONE (0) total length : 76

IPSEC: New embryonic SA created @ 0x7fea3ec8,

SCB: 0x79DB3F20,

Direction: inbound

SPI : 0x1516D12F

Session ID: 0x003A7000

VPIF num : 0x00020002

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: Completed host IBSA update, SPI 0x1516D12F

IPSEC: Completed inbound VPN context, SPI 0x1516D12F

VPN handle: 0x0711c174

IPSEC: Completed outbound VPN context, SPI 0xC187DB6A

VPN handle: 0x0711bb3c

IPSEC: Completed outbound inner SPD rule, SPI 0xC187DB6A

Rule ID: 0x7ae31e78

IPSEC: Completed outbound outer SPD rule, SPI 0xC187DB6A

Rule ID: 0x7d48e4d8

IPSEC: New inbound tunnel flow rule, SPI 0x1516D12F

Src addr: 10.22.0.0

Src mask: 255.255.255.0

Dst addr: 0.0.0.0

Dst mask: 0.0.0.0

Src ports

Upper: 0

Lower: 0

Op : ignore

Dst ports

Upper: 0

Lower: 0

Op : ignore

Protocol: 0

Use protocol: false

SPI: 0x00000000

Use SPI: false

IPSEC: Completed inbound tunnel flow rule, SPI 0x1516D12F

Rule ID: 0x7908d7f8

IPSEC: New inbound decrypt rule, SPI 0x1516D12F

Src addr: 99.16.210.2

Src mask: 255.255.255.255

Dst addr: 221.16.20.114

Dst mask: 255.255.255.255

Src ports

Upper: 0

Lower: 0

Op : ignore

Dst ports

Upper: 0

Lower: 0

Op : ignore

Protocol: 50

Use protocol: true

SPI: 0x1516D12F

Use SPI: true

IPSEC: Completed inbound decrypt rule, SPI 0x1516D12F

Rule ID: 0x7c161328

IPSEC: New inbound permit rule, SPI 0x1516D12F

Src addr: 99.16.210.2

Src mask: 255.255.255.255

Dst addr: 221.16.20.114

Dst mask: 255.255.255.255

Src ports

Upper: 0

Lower: 0

Op : ignore

Dst ports

Upper: 0

Lower: 0

Op : ignore

Protocol: 50

Use protocol: true

SPI: 0x1516D12F

Use SPI: true

IPSEC: Completed inbound permit rule, SPI 0x1516D12F

Rule ID: 0x7d3687d0

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, IKE got a KEY_ADD msg for SA: SPI = 0xc187db6a

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Pitcher: received KEY_UPDATE, spi 0x1516d12f

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Starting P2 rekey timer: 3420 seconds.

May 05 09:15:22 [IKEv1]Group = 99.16.210.2, IP = 99.16.210.2, PHASE 2 COMPLETED (msgid=cebea1a5)

IPSEC DEBUG: Inbound SA (SPI 0x1516D12F) sent an ACTIVE PFKey message to IKE (location 1)

May 05 09:15:22 [IKEv1 DEBUG]Pitcher: received KEY_SA_ACTIVE, spi 0x1516d12f

May 05 09:15:22 [IKEv1 DEBUG]KEY_SA_ACTIVE old rekey centry found with new spi 0x1516d12f

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, sending delete/delete with reason message

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing blank hash payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing IPSec delete payload

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, constructing qm hash payload

May 05 09:15:22 [IKEv1]IP = 99.16.210.2, IKE_DECODE SENDING Message (msgid=351bc571) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68

May 05 09:15:22 [IKEv1 DEBUG]Group = 99.16.210.2, IP = 99.16.210.2, Active unit activates new SA for remote peer 99.16.210.2.



No comments:

Post a Comment