Amazon VPN and Broken Pipe errors

I run a VPC on Amazon and have a VPN connection to my office network using a Cisco ASA firewall.  My team keeps getting their SSH connections dropped with “Write failed: Broken pipe” at quite frequent intervals.  Since this doesn’t happen when we connect directly to VPC instances, I set out to investigate.

Helpful commands:

debug crypto condition peer IPADDRESS <- limit your crypto debug output to a given vpn endpoint

debug crypto ipsec 7

debug crypto isakmp 7

I found that the Amazon Virtual Private Gateway frequently doesn’t answer the dead peer detection queries!  Cisco decides to terminate the VPN session with “Lost Service”, and starts a new session.  If you see “Received encrypted packet with no matching SA, dropping” in your ASA logs, this could also be the culprit.

Put “isakmp keepalive disable” in your tunnel-group config and see if it fixes your issue.  You will have to reset your connection.

NOTE: On the Cisco ASA keepalives are enabled by default. If you don’t have an “isakmp keepalive disable” then the default settings will be in effect, which is threshold 10 retry 2

Leave a Comment