We deploying IPSEC connections between HQ (cisco ASA) and small branch offices (routerboard).
RB connect to ASA without any problem and works fine.
The problem is if ASA drop ipsec&isakmp SAs after period of inactivity.
As I see RB knows that connection is down because it removes peer from [/ip ipsec remote-peer] but SAs still present in [/ip ipsec installed-sa].
And traffic to tunnel dropped as prohibited. Tunnel cannot not be reestablished until SAs not flushed.
Normal operation
Code: Select all
[admin@N3] > /ip ipsec remote-peers print
0 local-address=X.X.X.X remote-address=Y.Y.Y.Y state=established side=initiator established=29m36s
[admin@N3] > /ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0xE1C9CEB src-address=Y.Y.Y.Y dst-address=X.X.X.X auth-algorithm=sha1 enc-algorithm=3des replay=4
state=mature auth-key="697c459526423d6add00a9bc4bb183f14fca363a"
enc-key="e8b958a48d7c45f1243b516a1351e7db14b34583d8ca8e61" addtime=nov/01/2012 18:00:00 expires-in=7h30m14s
add-lifetime=6h24m/8h current-bytes=149688
1 E spi=0x44F37007 src-address=X.X.X.X dst-address=Y.Y.Y.Y auth-algorithm=sha1 enc-algorithm=3des replay=4
state=mature auth-key="acb9f886b3bf0629d51ff2116091da923c13ee21"
enc-key="faef95f257f84da59036ac1b34f01eaf773971d293cf7036" addtime=nov/01/2012 18:00:00 expires-in=7h30m14s
add-lifetime=6h24m/8h current-bytes=149772
[admin@N3] > /ping src-address=192.168.33.1 count=2 192.168.1.1
HOST SIZE TTL TIME STATUS
192.168.1.1 56 254 2ms
192.168.1.1 56 254 1ms
sent=2 received=2 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=2ms
HOST SIZE TTL TIME STATUS
[admin@N3] >
Code: Select all
[admin@N3] > /ip ipsec remote-peers print
[admin@N3] > /ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0xE1C9CEB src-address=Y.Y.Y.Y dst-address=X.X.X.X auth-algorithm=sha1 enc-algorithm=3des replay=4
state=mature auth-key="697c459526423d6add00a9bc4bb183f14fca363a"
enc-key="e8b958a48d7c45f1243b516a1351e7db14b34583d8ca8e61" addtime=nov/01/2012 18:00:00 expires-in=7h27m21s
add-lifetime=6h24m/8h current-bytes=156100
1 E spi=0x44F37007 src-address=X.X.X.X dst-address=Y.Y.Y.Y auth-algorithm=sha1 enc-algorithm=3des replay=4
state=mature auth-key="acb9f886b3bf0629d51ff2116091da923c13ee21"
enc-key="faef95f257f84da59036ac1b34f01eaf773971d293cf7036" addtime=nov/01/2012 18:00:00 expires-in=7h27m21s
add-lifetime=6h24m/8h current-bytes=156352
[admin@N3] > /ping src-address=192.168.33.1 count=2 192.168.1.1
HOST SIZE TTL TIME STATUS
192.168.1.1 timeout
192.168.1.1 timeout
sent=2 received=0 packet-loss=100%
HOST SIZE TTL TIME STATUS
Code: Select all
[admin@N3] > /ip ipsec installed-sa flush
[admin@N3] > /ping src-address=192.168.33.1 count=2 192.168.1.1
HOST SIZE TTL TIME STATUS
192.168.1.1 56 254 2ms
192.168.1.1 56 254 2ms
sent=2 received=2 packet-loss=0% min-rtt=2ms avg-rtt=2ms max-rtt=2ms
HOST SIZE TTL TIME STATUS
[admin@N3] > /ip ipsec remote-peers print
0 local-address=X.X.X.X remote-address=Y.Y.Y.Y state=established side=initiator established=15s
[admin@N3] > /ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x47321FF src-address=Y.Y.Y.Y dst-address=X.X.X.X auth-algorithm=sha1 enc-algorithm=3des replay=4
state=mature auth-key="80ba7181dbb482e1ea7f0a95f9758da887a584cc"
enc-key="88d1a0516e4359ac4e9b345c1084a51f7a5f4cc1102a3ecc" addtime=nov/01/2012 18:33:27 expires-in=7h59m42s
add-lifetime=6h24m/8h current-bytes=1624
1 E spi=0x9EFFD9D2 src-address=X.X.X.X dst-address=Y.Y.Y.Y auth-algorithm=sha1 enc-algorithm=3des replay=4
state=mature auth-key="6f588056a4c576a7468ca046c817c87a61635663"
enc-key="e216630082a6848dfe89f4572c80bd3705dd392cf3beff39" addtime=nov/01/2012 18:33:27 expires-in=7h59m42s
add-lifetime=6h24m/8h current-bytes=1624
[admin@N3] >
