When using a VPN for remote access, a secure connection is crucial. One common issue that can disrupt this connection is problems with Security Association (SA) timing and rekeying. This article explores a specific scenario involving Windows 7 laptops connecting to a Cisco ASA 5505 firewall running version 8.0(4)8, focusing on how to troubleshoot and resolve Sa Timing issues that lead to VPN disconnections.
Understanding SA Timing and Rekeying
Security Associations (SAs) are the foundation of IPsec VPN tunnels. They define the parameters for secure communication, including encryption algorithms, authentication methods, and key lifetimes. “SA timing” refers to the duration a specific SA remains valid. To maintain security, SAs periodically renegotiate and generate new keys, a process called “rekeying.” Rekeying ensures that even if a key is compromised, the overall security of the VPN connection remains intact. Cisco ASA firewalls typically initiate rekeying when 5 to 15 percent of the SA lifetime remains.
Problem: VPN Drops During Rekeying
In this case study, Windows 7 users experience VPN disconnections as soon as the SA rekeying process begins. The current SA lifetime is set to 3600 seconds (1 hour), and attempts to increase it to 36000 seconds (10 hours) have been unsuccessful. Despite configuring the crypto ipsec security-association lifetime command with the desired 36000 seconds, the VPN session still displays a remaining key lifetime of 3600 seconds. This indicates a mismatch between the configured lifetime and the actual negotiated lifetime.
Example of ASA configuration commands related to SA lifetime.
Analyzing the Configuration
The provided configuration snippets show that the SA lifetime has been explicitly set to 36000 seconds in multiple places:
- Globally using
crypto ipsec security-association lifetime seconds 36000 - Within the dynamic map using
crypto dynamic-map outside_dyn_map 65535 set security-association lifetime seconds 36000 - In the ISAKMP policy using
crypto isakmp policy 1 lifetime 36000
However, the output from the show crypto ipsec sa command reveals that the negotiated SA lifetime is still 3600 seconds. This suggests that either the client or another configuration parameter is overriding the configured value.
VPN Session details highlighting the SA timing discrepancy.
Potential Solutions
Several factors can influence SA lifetime negotiation:
-
Client-Side Configuration: Windows 7’s built-in VPN client might have its own SA lifetime settings that override the ASA’s configuration. Investigating the client’s VPN connection properties for any relevant settings is crucial.
-
Conflicting ISAKMP Policies: If multiple ISAKMP policies exist, the client and server might negotiate a policy with a shorter lifetime. Ensure that the desired policy (with the 36000-second lifetime) is prioritized and matches the client’s configuration. Review all ISAKMP policies using
show crypto isakmp policy. -
NAT-Traversal Issues: While less likely, NAT-traversal configurations can sometimes interfere with SA negotiation. Review the NAT configuration on the ASA and ensure it is properly configured for VPN traffic.
-
Compatibility Issues: In rare cases, compatibility issues between the Windows 7 VPN client and the specific ASA version could be a factor. Checking for any known compatibility issues or upgrading the ASA firmware to the latest recommended version might resolve the problem.
Conclusion
Resolving SA timing issues requires careful analysis of both the ASA configuration and the client-side settings. By systematically investigating the potential causes outlined above, administrators can pinpoint the root of the problem and implement the necessary adjustments to ensure stable and reliable VPN connections. Remember to thoroughly test any changes before deploying them to production.
