[Openswan Users] Annoying and intermittent VPN disconnection with Cisco ASA.

Daniel Cave dan.cave at me.com
Tue May 19 07:20:21 EDT 2015

Hi guys.

Firstly, I would really appreciate some help with this - its something I've been trying to deal with for the last week or so, so here goes.

I have a server hosted in Amazon, it details below.
root at ip-10-99-0-240:/var/log# ipsec --version
Linux Openswan U2.6.43/K3.13.0-44-generic (netkey)
See `ipsec --copyright' for copyright information.

root at ip-10-99-0-240:/var/log# uname -a
Linux ip-10-99-0-240 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
root at ip-10-99-0-240:/var/log# cat /etc/issue.net 
Ubuntu 14.04.2 LTS

We have a tunnel established to a third party which is a Cisco ASA 55xx device using 3des-md5.  the config i've included at our side the end of the mail. Every day or so the tunnel drops with the ASA (seemingly on our side) for no apparent reason apart from a re-keying issue on the SA /phase 2 side.  this is happening at least every day, if not randomly at no exact time. I have spoken to our third party who are looking into this again, and with Amazon last friday who helped me identify the re-key issue originally which was due to the phase 2 lifetime not matching with the ASA config.  The tunnel facilitates connectivity via an application we use on our network and we get a report from the app (by email alert) as to when the connection to the third party side times out ( The application tries to re-establish the tcp connection for a few minutes but partially fails to reconnect to one of the two servers at the remote end.. 

I have also got bandwidth/snmp monitoring going into Cacti on the same hosts and i do not see any issues with max bandwidth usage (infact its not showing much usage until the tunnel drops at around 9am (pictured)

However since I modified the phase2 SA lifetime issue yesterday (supposedly) the problem has still remained and I'm really none the wiser about how to fix this. I've attached the logs from today's vpn drop (at 08:01 UTC/   9:01 BST)  Is there anything else i can do to identify whats causing the issue ?  

Our third party who administer the Cisco Asa, are going to email me screen shots of the tunnel configs because they have around 50 third party tunnels in place.

Thanks very much in advance.

##### ipsec status ####
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048} 
000 "idc-dr/1x1":[]---<>===; erouted; eroute owner: #42
000 "idc-dr/1x1":     myip=; hisip=unset;
000 "idc-dr/1x1":   ike_life: 86400s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; force_encaps: yes 
000 "idc-dr/1x1":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,24; interface: eth0; 
000 "idc-dr/1x1":   dpd: action:clear; delay:0; timeout:0;  
000 "idc-dr/1x1":   newest ISAKMP SA: #41; newest IPsec SA: #42; 
000 "idc-dr/1x1":   aliases: idc-dr 
000 "idc-dr/1x1":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 #42: "idc-dr/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 71259s; newest IPSEC; eroute owner; isakmp#41; idle; import:admin initiate
000 #42: "idc-dr/1x1" esp.e947a46f at esp.f58e8811 at tun.0 at tun.0 at ref=0 refhim=4294901761
000 #41: "idc-dr/1x1":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 71519s; newest ISAKMP; lastdpd=8761s(seq in:0 out:0); idle; import:admin initiate
000 -6-> => %hold 0    %acquire-netlink

#######  CPU and RAm usage ######

root at ip-10-99-0-240:/var/log# cat /proc/cpuinfo  |egrep "core|proc|Mhz"
processor	: 0
core id	: 0
cpu cores	: 2
processor	: 1
core id	: 1
cpu cores	: 2
root at ip-10-99-0-240:/var/log# free -h
                   total       used       free     shared    buffers     cached
Mem:          3.9G       1.2G       2.7G       6.2M       196M       685M
-/+ buffers/cache:       337M       3.5G
Swap:           0B         0B         0B

####### Our side. Amazon Ubuntu box, externally nat'd to a public IP.

config setup
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
# NAT-TRAVERSAL support, see README.NAT-Traversal
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
# OE is now off by default. Uncomment and change to on, to enable.
# which IPsec stack to use. auto will try netkey, then klips then mast
# Use this to log to a file, or disable logging on embedded systems (like openwrt)


# Add connections here

conn idc-dr
#    connaddrfamily=ipv4
#    ike=3des-md5
#    phase2alg=3des-md5
#    phase2=esp
#    keyexchange=ike
   ## was## keylife=86400s


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150519/4f8e3c50/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec-pluto-Authlog-19thMay.log.zip
Type: application/zip
Size: 228428 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150519/4f8e3c50/attachment-0001.zip>

More information about the Users mailing list