DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Draytek to Cisco ASA LAN to LAN VPN drops

  • fermat
  • Topic Author
  • Offline
  • New Member
  • New Member
More
30 Jul 2014 23:22 #80826 by fermat
We have an issue with a couple of LAN to LAN set ups. We have a Draytek 2820 and a 2920, both connecting to a single Cisco ASA.

In both cases the VPN tunnels come up and pass traffic fine, but they both drop multiple times a day and then reconnect themselves. The two Drayteks are on different sites, using different Internet connections. They both connect to the same ASA.

Almost always both VPNs drop at the same time, but not 'every' single time. The ASA also has other VPN tunnels connected to it, generally from other Cisco devices, and those do not drop, only the Draytek connections.

The configuration is pretty much as specified here: http://www.draytek.com/index.php?option=com_k2&view=item&id=2027&Itemid=293&lang=en

We are using IPsec, with a IKE Pre-Shared Key, High(ESP) 3DES with Authentication.
Advanced settings are:

Main mode
3DES_SHA1_G2
3DES_SHA1/3DES_MD5
86400(increased from default)
86400 (increased from default)
Perfect Forward Secret disabled

Any suggestions would be appreciated.

Thanks

Please Log in or Create an account to join the conversation.

More
31 Jul 2014 08:42 #80827 by engdean
Replied by engdean on topic Re: Draytek to Cisco ASA LAN to LAN VPN drops
disable the keep alives in the cisco ASA for the site2site vpn. that fixed it for us

Please Log in or Create an account to join the conversation.

  • fermat
  • Topic Author
  • Offline
  • New Member
  • New Member
More
07 Aug 2014 15:30 #80882 by fermat
We have resolved this issue, so I thought it worth posting our experience for anyone else who comes across this thread.

We followed engdean's suggestion and disabled the keep alive at the Cisco end. This did alter the situation but did not fix it. Instead of the VPN dropping sporadically, it started dropping every 6 hours on the dot, even though the phase 1 and phase 2 key lifetimes were either set to 28800 or 86400 on the Draytek end.

The solution in the end was a firmware up date. Draytek support have beta firmware for the 2920, 2860 and 2830 (and possibly others) which resolved this specific issue. In our case there was no beta firmware for the 2920, but they built some for us in 24 hours, which was a good effort on their part.

We are currently running with no Cisco keep alive and the default of 28800 and 3600 on the Draytek, using the beta firmware. So far the VPN has stayed up for over 70 hours.

Hope it helps someone.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami