Monday, November 11, 2013

Cisco IPSEC site-to-site VPN connected but not passing traffic- solution

 Last week at work we finished up a major storage system upgrade. Two days later, our site-to-site VPN started to act up. Coincidence? I figured it was the construction and flood of trucks from the local provider in the area lately, and put it off until Monday. No users were complaining and I was working remotely Friday (the Anyconnect VPN was stable) and could access both sites just fine. After more testing, I realized I could ping site A router to site B router and site B to site A, I quickly realized there was nothing wrong with the physical fiber link between the sites. Logging out/ restarting the VPN allowed the connection to work for a short period of time, and the only downtime the ASA logged was when I reset the VPN or restarted the adapter. The tunnel otherwise would stay up. Some quick Google'ing returned this:

Our setup has the exact same issue: The tunnel stayed alive, but no traffic would pass. A quick look at the crypto security-association lifetime and kilobytes showed that we had a 8 hour and 4.5GB transfer cap. Our site-to-site fiber line can do 18.5GB in~ 1 hour on a congested day.  It appears as though our new storage system upgrade, which included site-to-site replication, was maxing out the security-association lifetime. Changing this to 8.6.5 fixes the problem, but so does increasing the kilobytes threshold. Changing ours to just over the peak transfer rate should prevent this from happening again until I can schedule downtime to upgrade the firmware. So far it has returned to its normal state and we can resume the replication.

Best of luck!
- Marc