Cisco ASA 5505

I recently had to try and determine the cause of random drop outs of customer’s Cisco ASA IPsec VPN between two Cisco ASA 5505s.  Both ASAs were NAT’d behind ADSL routers and ports forwarded to the firewall.  I know this *shouldn’t* cause a problem and modern implementations of the IPsec stack are much better at traversing NAT than they used to be.  One router was a Cisco/Linksys something and the other was a NetGear DGN1000.

Symptoms: Tunnel would intermittently drop after 10-30 minutes, regardless of whether traffic was passing over the link (constant PING) or not.

After a bit of log trawling I quickly found it was related to DPD (Dead Peer Detection).  The ASA enables DPD by default, and is only capable of semi-periodic DPD (R-U-THERE).  I also read about various issues regarding NetGear routers and their inability to handle DPD messages correctly – there are many posts for other IPsec and DPD issues with other vendors and fix is simple – disable DPD.  I did this on both firewalls and it is applied per tunnel (so if it is required for another tunnel you can disable it for just the one with issues).  It is very simple to disable:

tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive disable

That’s it!  The tunnel has now been up for over 4 hours.  Not bad considering one of the connections is behind a non-stable ADSL connection.

Reference: https://supportforums.cisco.com/docs/DOC-8554