I run a VPC on Amazon and have a VPN connection to my office network using a Cisco ASA firewall. My team keeps getting their SSH connections dropped with “Write failed: Broken pipe” at quite frequent intervals. Since this doesn’t happen when we connect directly to VPC instances, I set out to investigate.
debug crypto condition peer IPADDRESS <- limit your crypto debug output to a given vpn endpoint
debug crypto ipsec 7
debug crypto isakmp 7
I found that the Amazon Virtual Private Gateway frequently doesn’t answer the dead peer detection queries! Cisco decides to terminate the VPN session with “Lost Service”, and starts a new session. If you see “Received encrypted packet with no matching SA, dropping” in your ASA logs, this could also be the culprit.
Put “isakmp keepalive disable” in your tunnel-group config and see if it fixes your issue. You will have to reset your connection.
NOTE: On the Cisco ASA keepalives are enabled by default. If you don’t have an “isakmp keepalive disable” then the default settings will be in effect, which is threshold 10 retry 2