Site-to-Site VPN tunnel goes down when the Phase 2 IPSec Outbound SA lifetime threshold is reached (ASA 8.4 bug)


If you have recently upgraded to ASA 8.4 or above, you might have come across a VPN behavior where the outbound IPSec SA reaches it’s data lifetime threshold and you have to manually bounce the tunnel to bring it back up.

This happens because of a bug found in the code 8.4(2.240) and 8.6. The bug is such that the IPSec outbound SA in Phase 2 fails to rekey when the ‘data lifetime’ reaches it’s threshold limit (default 4608000). CSCtq57752 is the bug ID which you can lookup in the bug tool kit (requires a CCO login).

There is a workaround and a fix for this issue;

1. Workaround: The lifetime values for the particular VPN tunnel in question needs to be adjusted where the re-key for the VPN should happen with the seconds lifetime and not the data lifetime.

2. Fix: Upgrade to ASA 8.4(3) or the other versions in which the bug is fixed.

The Workaround:

Change the lifetime seconds to a lower value so that the outbound IPsec SA rekey happens when the seconds threshold is reached.
And change the lifetime kilobytes to the highest value so that the outbound IPSec SA never rekeys with the kilobytes lifetime because this is where the bug kicks in.

crypto map outside_map 10 set lifetime seconds 3600
crypto map outside_map 10 set lifetime kilobytes 2147483647

Although you can set these lifetime values globally, I wouldn’t recommend it because you do not want the ASA to rekey for all the VPN tunnels you have in every one hour! So, just monitor the VPNs and see which ones would need the workaround to get over this issue.

The Fix:

Upgrading the firewall in a production environment to solve the issue might not be the most appropriate choice specially when you have a workaround that works pretty well. So you can implement the workaround until you get a maintenance window for the upgrade. The bug fixed versions can be found here > CSCtq57752 Bug Details 

Hope you find this useful and get your VPN tunnels up and running as quickly as possible!

Advertisements

One thought on “Site-to-Site VPN tunnel goes down when the Phase 2 IPSec Outbound SA lifetime threshold is reached (ASA 8.4 bug)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s