Cisco ASA IPsec tunnel disconnect sending RST to all hosts

Question

This is very strange behavior we are observing with our IPsec tunnel, we have two sites connected with cisco ASA using site-to-site VPN tunnel as per following:

[LAN-1]---------[ASA-1]-------Internet-------[ASA-2]--------[LAN-2]

We have Jenkin master on LAN-1 and some builds slave on LAN-2. In randomly by chance vpn tunnel blip out for few second, it causing jenkins disconnect to all slaves and distubes running job ( I felt like ASA sending RST packet when my tunnel blip out and that terminating all connection)

also if i have SSH connect established between LAN-1 and LAN-2 that SSH connection also got reset.

is it possible Cisco ASA send RST packet when tunnel go down for 10 second and re-initialize all SA?

I found this option `sysopt connection preserve-vpn-flows` and applied both side of ASA lets see if that fix my issue. — Satish, Sep 19 '19 at 15:59
Damn still i am seeing all LAN connection getting dropped out — Satish, Sep 19 '19 at 18:51

score 1 · Answer 1 · answered Sep 29 '19 at 14:08

I'll throw some ideas out there.

Check the tunnel uptime. Relevant commands show crypto isakmp sa and show crypto ipsec sa peer x.x.x.x. Is it going down for sure?
Can you replicate the issue by bouncing the tunnel? clear crypto ipsec sa peer *x.x.x.x*
Definitely use sysopt connection preserve-vpn-flows. Did you enable it on both sides or perhaps just one side?
Can you run a packet capture to check for RST's being sent? This
ideally is done on the host device but can also be done on the ASA
with the capture command.

Cisco ASA IPsec tunnel disconnect sending RST to all hosts

1 Answers1