AWS VPC Drops Cisco ASA VPN linkPosted: September 15, 2015
We have a VPN link into AWS, we have not really used it with any anger, but we are now trialing cool bit of replication technology.
This involves replicating the full server into the cloud see www.cloudendure.com
Well everything works in terms of the software but my link kept dropping, well this is not strictly true, the link was up but not data would traverse the link !!!!!
After speaking to AWS support they pointed me, well they did not really point me in any direction :).
So to Google I went, there was nothing really about AWS and the ASA configuration or issues you may have, only how to debug how to get it working. http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA_Troubleshooting.html
Nothing on why it suddenly stops. I then stumbled up on this post.
which then pointed me in the direction of the SA lifetime configuration. After then finding https://community.spiceworks.com/topic/764490-what-is-security-association-lifetime-cisco-site-to-site-vpn I concluded that there is a bug in the IOS and because of the amount of data traversing the link, the timeout was being reached and not renewing.
You therefore need to configure the timeout time to hit before the data transfer.
For me this was 10 minutes with the data set to 2147483647, I found setting this to 3 minutes just interrupted the whole transfer and therefore settle for 10.
So the line in my config were
crypto map amzn-vpn-map 1 set security-association lifetime seconds 600 crypto map amzn-vpn-map 1 set security-association lifetime kilobytes 2147483647