Cisco ASA VPN Tunnel

Few days back one of our VPN sites was stuck in state and it was not able to re-negotiate, once cleared it became active, we had to ask someone external to carry this task...as I just started in this firm, i have an idea on how its done, but its not clear, So i want to take suggestions on how all the tunnels states are checked? and if they are not able to re-negotiate with other sites, how they can get cleared?

This is the work what they did....

1  IKE Peer: 172.30.80.10
    Type    : L2L             Role    : responder
    Rekey   : yes             State   : MM_ACTIVE_REKEY
2   IKE Peer: 172.30.80.10
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_REKEY_DONE_H2

Also are there any other admin tasks which can be carried out to make sure the site tunnels are healthy  and active?
LVL 8
LeoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
One deals with clearing the session sa peer

Another within the config to set a keep alive.

https://supportforums.cisco.com/discussion/11377816/asa-clear-ipsec-sa-peer-xxxx-required-after-outage
LeoAuthor Commented:
that's all I have to do?

securityappliance(config)# tunnel-group 10.165.205.222  ipsec-attributes

  securityappliance(config-tunnel-ipsec)#isakmp keepalive  threshold 15 retry 10
- See more at: https://supportforums.cisco.com/discussion/11377816/asa-clear-ipsec-sa-peer-xxxx-required-after-outage#sthash.ZyHO768W.dpuf

we have 7 different tunnels, how can I know which one is stuck?
arnoldCommented:
the one to which you have no path.  The setting with the keep alive is a configuration set on each one.

The issue, last comment in the cisco forum, deals with an existing tunnel where the remote end drops off i.e. no "notice"
The tunnel is still "seen" alive/active, but it is not and when the remote end recovers, the renegotiation does not take place until the tunnel lifetime expires.commonly 28800 minutes, or 8 hours.

What is it you'd like? You'd like to be notified when this situation exists between the tunnels?
Setup a monitoring system on your end pinging the remote side, when your monitoring system is unable to reach the remote site, you know your tunnel is in flux/not connected.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

LeoAuthor Commented:
yes we like to be notified when the site goes down, also when the tunnels are down, how can I clear there status and bring them up?
arnoldCommented:
Do you have any monitoring tools nagios, zabbix, etc.
If memory serves, the keepalive record an event when failed.
If this is common, you should check your incoming feed to see if there are interface errors ISP Feed.
There are other monitoring tools, you need to see what resources are available to you. You may have ...

Different monitoring tools have options that would when configured perform an action.
IMHO, automated action in such cases should be carefully considered.
i.e. if your detection mode is too short, your recovery mechanism might be the one preventing the recovery.
Start with detection/notification first. Then ....
LeoAuthor Commented:
we have Nagios. its not setup properly, so I have to set it up first.
as for bringing back the tunnels up, when they cant re-negotiate  / stuck, whats the procedure?
arnoldCommented:
Clear IPSec sa  peer <peer ip of the tunnel that is shows connected but not working>

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LeoAuthor Commented:
thanks,ts been happening more often now, what will be long term solution to fix it?
arnoldCommented:
Identifying the cause I.e. Network saturation on one side, disrupting the VPN.  Configuring QoS, to make sure the VPN connection is maintained might be the way to go. The QoS on the routers connecting the location to ISP if separate to the Asa.
LeoAuthor Commented:
Would this can work?

securityappliance(config)# tunnel-group 10.165.205.222  ipsec-attributes

  securityappliance(config-tunnel-ipsec)#isakmp keepalive  threshold 15 retry 10
arnoldCommented:
It is not a question of working, it is whether the issue causing the tunnel to be terminated on the remote side detected sooner and re initiated from your side within a shorter amount of time than the default which the article/blog/external link pointed to a 5 minute delay. While the one you add will generate many more requests in the interim.

Looking on bandwidth use on the remote side to see whether it gets saturated /maxed out and that leads to the issues you see.  If so, implementing QoS to prioritize VPN traffic below voice if any will make sure that more essential services are not interrupted.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.