Old Versions of Cisco ASA Might Impair Your Remote Sites

Christopher Lentz | June 04, 2014 01:00 PM

During a recent site to site VPN setup between a Cisco ASA and a Vyatta virtual firewall we encountered an interesting circumstance. The VPN would set up and everything would look as though it was running as expected. Then suddenly, the Cisco side would send over teardown packets and the tunnels would reset. This was happening much more frequently than the client would have liked so we put our heels into the dirt and started digging deeper into the configuration on both sides of the connection. What we found might have you looking at new hardware for your remote site-to-site VPN setups.

Identifiying the Problem

The easiest way to know if your tunnel is affected by this bug in the older ASA versions is to watch your logs and pay close attention to the key timeouts. By default the older ASA software that the 5505 uses sets a default security association lifetime in kilobytes of around 4 GB. Once that limit is reached the Phase II or IPSec keys are renegotiated between the peers. However, when connecting to a device that does not use the lifesize element in the IPSec phase the tunnel can often hang and pass no data. Sometimes, the tunnel will just go down and not come back up until both peers have reset the tunnel(s) that were affected. The reason for this is that because the Cisco ASA has the lifesize set and the other peer does not have a setting, their IPSec headers do not match. This also means that only the Cisco side of the connection can truly initiate setting up the tunnels. 

Finally, A Simple Fix

Though we did not do the research on other vendor products outside of the Cisco and Vyatta, we assume that there is the option to set a key lifesize, it just might be tucked away deep inside a command that most of us have never used or even seen before. For the Vyatta however, which uses the OpenSwan and StrongSwan suites, allows for setting the lifesize or technically known as "lifebytes" in the ipsec.conf file. The value set in the parameter is measured in kilobytes so be sure to calculate accordingly if you are using this workaround. After you have added the setting, save the file and reset the tunnels. After that the tunnels can initiate from both sides provided that the lifesize matches on both ends. 

I know this has been a pretty deep and high-level topic but I know a LOT of small businesses are using these Cisco ASA 5505's because they have always been well priced and powerful firewall and VPN devices. If you are having a VPN or Cisco issue, give us a call today and let one of our Cisco Certified professinals help.


Enforma IT provides Cisco Network Consulting, VMware Virutualization Consultanting, and Server/Desktop Support in the San Francisco Bay Area, Oakland, San Jose, and Chicago metropolitan areas.

© 2019 Enforma IT. All Rights Reserved.