Vyos <-> Cisco ASA IPsec vpn disconnections

Philliptk · February 17, 2021, 9:51am

The issue seems to be that when the VPN times out(disconnects), the SA on the Cisco ASA says Not connected
BUT the one on the VyOS stays Active (still connected)
The Cisco ASA side re-keys (to reconnect)
And VyOS rejects as the SA on the VyOS says/is still connected

Looks like VyOS hold on to old data for quite sometime. You can check the status on the Cisco side and the tunnel is down, but when you do an ipsec status command on VyOS shortly after, the VyOS side shows that the tunnel is still up. (which is wrong)

How can i go about with this issue to avoid multiple disconnections? Thanks

olofl · February 17, 2021, 9:52am

What version? I had similar issues before 1.2.6 LTS.

Philliptk · February 17, 2021, 9:58am

My VyOS version is VyOS 1.3-rolling

Philliptk · February 17, 2021, 10:12am

How did you go about with that issue?

olofl · February 17, 2021, 2:16pm

Well I had 1.2.3 something, and it was solved when I went to 1.2.6. I cannot remember the exact bug or task# unfortunately.

Philliptk · February 18, 2021, 10:11am

I have implemented Dead Peer Detection and set action to ‘restart’. But I am still having some small disconnections. Any help?

frank-nl · February 24, 2021, 7:16am

Hi Philliptk, you might want to try turning off ‘data’ rekeying on the ASA. ASA does this by default after certain volume of data. Just make sure the lifetimes are the same but disable the SA data lifetime.
This solved a lot of ASA-VyOS issues for us.