Quick IPSec Question 1

[gregarican]

I am troubleshooting some connectivity issues we are having with remote sites accessing published Citrix apps across our site VPN. The culprit seems to be networking issues pointing to the remote site that has a Cisco ASA 5505 (version 7.2.3) installed.

Checking the IPSec LAN2LAN tunnel I see Phase I (Main Mode) and Phase II (Quick Mode) keying working fine. There aren't any instances I see Phase I dropping the entire site VPN tunnel.

My question is would Phase II re-keying cause any active site VPN users to have their application's connection drop? Looking at the syslog file I see the TCP connections from the Cisco internal clients out to the Citrix server's port 2598 being dropped due to the tunnel being torn down (ASA-6-302014). But shortly after that I see new TCP connections from the Cisco internal clients out to the Citrix server's port 2598 being built.

Just checking, because I have Phase II re-keying set to take place every 100 KB / 3600 seconds. If remote site VPN clients can get disconnected each hour that might not be good :-/

 

[desperado618]

Rekeying for any vpn has been known to drop certain high priority connections like RDP, Citrix, VOIP, etc. When the rekey occurs, those packets are held until the rekey completes. That could case a disconnect in an active Citrix session.

http://www.NetLeets.com

IT Security news and information
In plain English

 

[gregarican]

Interesting. Currently I have the Phase I rekeying every 8 hours. And Phase II rekeying every hour. The last detailed packet capture I had indicated that during the Phase II rekeying one of the handful of remote clients at the other end was disconnected. I guess it's a balancing act. Rekeying too infrequently could leave risk exposure, while rekeying too often can apparently cause Citrix ICA session drops? Oy vey...

 

[desperado618]

Aggressive mode is an option, though I am not a big fan. Also taking precautions on the server, such as increasing the session timeouts, retries, etc. It all depends on how fickle the application is. Thats why higher priority protocols don't work well with VPN. Imagine talking to someone on a VOIP phone during a rekey. VOIP is UDP so there is no retry. That packet would just get lost. CItrix servers can be tweaked to "play nice" with VPNs

http://www.NetLeets.com

IT Security news and information
In plain English

 

[gregarican]

I have a SMARTnet agreement with Cisco for this ASA box, so I opened a trouble ticket. The engineer suggested I extend the SA lifetimes. Phase I was bumped out to 86400 seconds (a full day) and Phase II was bumped out to 28800 seconds (8 hours) and 4608000 kilobytes.

Logically thinking, if some TCP connections were dropping during the rekeying process, these measures should at least makes these instances more infrequent.

I should know more by tomorrow, since within any given 24 hour timeframe we'd usually see at least 4-5 Citrix ICA session disconnects from these guys. So far it's 4 hours and counting

 

[gregarican]

So far so good. It's been over 24 hours now with no idle Citrix ICA disconnects. What a relief.

It's funny that the Microsoft published best practices for an ISA<-->ASA/PIX site VPN had the SA lifetimes set so short. Apparently changing these to the Cisco published recommendations was the fix I needed!

 

[desperado618]

I am glad everything is working out for you.

http://www.NetLeets.com

IT Security news and information
In plain English