Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Cisco ASA Issues

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Monty1157
      last edited by Monty1157

      Hi,
      We have a number of IPSEC VPNs going to a variety of endpoints, with different vendors at the remote ends, which all work perfectly, apart from two VPNs which go to Cisco ASA firewalls.

      The issue we're seeing with these devices is that during the phase 2 re-key, our pfsense firewall seems to do a re-key of the tunnel successfully, then fail to use the new key, and it also fails to delete the old key, leaving our firewall in limbo until we restart the IPSEC service, which obviously kills all the VPN connections. We have tried just restarting the two Cisco VPNs in question, but this doesn't work. Only a full service restart seems to quickly resolve the issue (Until the next phase 2 re-key), or we can leave the service to eventually time out (Which can take a considerable amount of time, and so is a very impractical solution).

      We have tried these VPNs as IKEv1 and IKEv2 tunnels, short and long re-key times, as well as a variety of different encryption protocols and levels on both phases, as well as enabling and disabling the Unity support on our pfsense, but nothing seems to change their behaviour. I have also tried every revision of pfsense from 2.3 onwards in an attempt to see if a revision regression would solve the issue, but with no success. Currently, we are on 2.4.4-p1 (I've just noticed 2.4.4-p2 is now available) and we're still seeing the issue.

      We've been in discussions with the remote side as to how we can proceed with this, but they have firmly refused to escalate the matter with Cisco, claiming that the fault lies entirely with pfsense, which I'm finding most unhelpful. They're even refusing to tell me the version of the ASA software that's running to see if I can cross reference anything.
      I've looked at this support site, as well as the StrongSWAN forums, but I can't see a recent issue with the software, in fact only finding one similar fault reported on the StrongSWAN bug tracker from several years back, but it being dismissed as a Cisco fault by their developers.

      Currently I'm having to run a cron job that restarts the IPSEC service every six hours as that is the only way we can maintain connectivity to the remote sites. Whilst obviously not the correct solution, it's the only one I've currently got at the moment.

      For reference, a service critical application hangs off these VPNs, and it's not something we can source from anywhere else, so we can't just move endpoints to a new provider. I'm stuck with these VPNs, and the frankly unhelpful support from the remote side.

      So, has anyone seen anything like this happen with IPSEC tunnels to Cisco ASA hardware, and if you've found a better solution, or even the answer as to why this is happening?

      Thanks very much in advance.

      Cheers,
      Monty

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Not really. Works fine with ASAs.

        They're even refusing to tell me the version of the ASA software that's running

        That's pretty arrogant.

        The beginning of finding the answer probably lies in the IPsec logs.

        Any specific information they provided for what parameters/algorithms/etc they expect might also help, along with shots of your P1 and P2 config pages.

        If they allow IKEv2 and the tunnel comes up I would stick with that. If you have more than one P2 just be sure to enable Split Connections in the Phase 1 to work around limitations in the ASA.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • M
          Monty1157
          last edited by

          Hi Derelict,
          Yes, I agree, it's pretty arrogant of them. I could go on at length about how lazy and incompetent their network admin is, but that's not the issue here, but it doesn't help resolving the issue I have when I can't get any logs out of them, which has left me trying to solve a puzzle with only half the clues, and why I ended up posting here. ☹

          Anyway, thank you so much for your help on this. Your comments have given me a new avenue to investigate.

          The split connections were not enabled on either tunnel as I didn't think it applied in this scenario (Two IPSEC VPNs going to different endpoints with a phase 1 config, and a single phase 2 config), but after you mentioning this, I started to look into Cisco ASA tunnels with split connections and to be honest, that's thrown up a whole lot more info around this that looks very, very, similar to the issues I'm seeing, which was the old phase 2 tunnel would re-key, a new key would be generated for the replacement phase 2 tunnel, then neither would be used with the firewall just sitting there unable to delete the old key, and the logs telling me the remote end wasn't accepting the new key either.

          I've enabled the split connections tick box on both VPNs and commented out the IPSEC restart commands in the crontab to see what transpires. At best, it works, and that would be great. At worst, at least I have a recent set of IPSEC logs with the debug output showing what's happening when things break. ☺

          Once again, thanks for the pointers in the right direction with this. 😀

          Cheers,
          Monty

          1 Reply Last reply Reply Quote 0
          • M
            Monty1157
            last edited by

            Thought I'd put a final update into this as the working solution.

            After getting a couple of Cisco ASA 5506 units on site and creating exact copies of the IPSEC VPNs that I was having issues with, and running these test VPNs over other IP addresses on our twin internet links back to the firewall, I couldn't get the damn things to fail like the original links. They worked for a good couple of weeks without a dropped packet, even although I'd put the phase 1&2 settings to rekey every hour and half hour respectively in the hopes of generating enough debug traffic on both sides to see where the issue lay.

            Went back to the outside agency in question, presented them with my findings, to be told point blank again, that the fault was on our side. After a pretty gritted teeth conversation with their network admin, he let slip that their configuration had a data transfer limit on both VPNs, where it would rekey every 4Gb of traffic. This was the first I'd heard about it, the agreed VPN documentation didn't have this noted, and PfSense IPSEC configs didn't have this in there (I don't think the StrongSWAN version currently in use on PfSense has this as an option anyway). After insisting that this be removed, both VPNs haven't failed since.

            Cheers,
            Monty

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.