Cisco ASA Site-to-Site IPSec VPN Drops Traffic When SA kB Lifetime Reaches Zero (Bug CSCtq57752)
A site-to-site IPSec VPN on a Cisco ASA running 8.6.1 shows the tunnel as up but stops passing traffic for an affected subnet under heavy load. The outbound Security Association's remaining key lifetime in kilobytes hits zero and fails to rekey due to Cisco bug CSCtq57752. Resolution is to upgrade to ASA 8.6.1(5) or later, or apply a workaround forcing time-based rekey before the data volume threshold is reached.
Indicators
- Site-to-site VPN tunnel shows as up but does not pass traffic for a specific protected subnet
- Traffic loss correlates with periods of heavy data transfer through the tunnel
- 'show crypto ipsec sa' shows outbound SA 'remaining key lifetime (kB/sec)' kB value at 0 (e.g., 0/14678)
- Anti-replay bitmap on the outbound SA shows minimal activity (0x00000000 0x00000001)
- Issuing 'clear ipsec sa' or 'clear crypto ipsec sa peer <peer-ip>' temporarily restores traffic flow
- SA fails to rekey automatically when the data (kB) lifetime reaches zero
Likely causes
- Cisco ASA software defect CSCtq57752 affecting ASA 8.6.1
- IPSec outbound SA kilobyte lifetime reaches zero before the seconds-based lifetime expires
- Rekey triggered by data volume (kB) rather than time, exposing the bug
- High-throughput tunnels depleting the kB counter quickly relative to the seconds counter
Diagnostic steps
-
Run 'show crypto ipsec sa' on the ASA and inspect 'sa timing: remaining key lifetime (kB/sec)' for both inbound and outbound SAs on the affected peer
-
Identify whether the outbound SA shows 0 kB remaining while the seconds value is still non-zero — the signature of this bug
-
Check ASA software version with 'show version' and compare against bug CSCtq57752 affected versions (notably 8.6.1)
-
Temporarily restore connectivity by issuing 'clear crypto ipsec sa peer <peer-ip>' and confirm traffic resumes through the tunnel
-
Monitor the SA over time to confirm the issue recurs as the kB lifetime depletes again, validating the rekey-failure pattern
-
Review Cisco Bug Search Tool entry for CSCtq57752 to confirm fixed-in releases applicable to your platform
Resolution path
- Use 'clear crypto ipsec sa peer <peer-ip>' as an immediate mitigation to restore traffic
- Schedule a maintenance window for the ASA
- Upgrade the Cisco ASA image to version 8.6.1(5) or later that contains the fix for CSCtq57752
- If immediate upgrade is not possible, apply the workaround so the seconds lifetime expires before the kB threshold
- Configure: 'crypto map <YOUR-CRYPTO-MAP-ID> set security-association lifetime seconds 3600'
- Configure: 'crypto map <YOUR-CRYPTO-MAP-ID> set security-association lifetime kilobytes 2147483647'
- Clear the existing SA and verify with 'show crypto ipsec sa' that the SAs now rekey based on time before kB approaches zero
- Monitor the tunnel through the next several rekey cycles to confirm stable behaviour
Prevention
- Keep ASA software current with vendor-recommended maintenance releases and avoid known-defective trains
- Tune IPSec SA lifetimes so seconds-based rekey triggers before the kilobytes-based rekey on high-throughput tunnels
- Set kilobytes lifetime to the maximum (2147483647) on tunnels affected by similar rekey bugs
- Periodically review 'show crypto ipsec sa' output to track rekey behaviour and SA freshness
- Check the Cisco Bug Search Tool for known IPSec/VPN issues before deploying or upgrading ASA software versions
- Implement monitoring/alerting on tunnel traffic counters so silent data-plane failures are detected before user impact
Tools
- Cisco ASA CLI ('show crypto ipsec sa', 'show version')
- 'clear crypto ipsec sa peer' command
- Crypto map configuration commands
- Cisco Bug Search Tool
- Maintenance window / change control process