https://community.cisco.com/t5/network-security/vpn-tunnel-down-due-to-no-traffic/m-p/1030948#M916184 <HTML><HEAD></HEAD><BODY><P>Hello Roni,</P><P> Check the interesting traffic ACL in site A and make sure the traffic from that particular VLAN to remote site is defined.</P><P> </P><P>Regards</P></BODY></HTML> Wed, 23 Jul 2008 12:10:23 GMT Alan Huseyin Kayahan 2008-07-23T12:10:23Z https://community.cisco.com/t5/network-security/vpn-tunnel-down-due-to-no-traffic/m-p/1030947#M916181 <P>I have a VPN tunnel (over the Internet) between two of our sites. This morning access from site A to site was down but only for one particular vlan. The tunnel was still up, vlans in site A were able to communicate with vlans in site B with the exception of one vlan in site B. Site A was unable to ping this vlan on site B. However, as soon as I ran an extended ping from the core switch of site B from that particular vlan, the communication for that vlan was suddenly established.</P><P></P><P>This tunnel is up for at least 7 months now and I never had this issue.</P><P></P><P>I am thinking that the tunnel will only be up if traffic is initiated from site B, is that possible?</P> Mon, 11 Mar 2019 13:18:46 GMT https://community.cisco.com/t5/network-security/vpn-tunnel-down-due-to-no-traffic/m-p/1030947#M916181 ronshuster 2019-03-11T13:18:46Z https://community.cisco.com/t5/network-security/vpn-tunnel-down-due-to-no-traffic/m-p/1030948#M916184 <HTML><HEAD></HEAD><BODY><P>Hello Roni,</P><P> Check the interesting traffic ACL in site A and make sure the traffic from that particular VLAN to remote site is defined.</P><P> </P><P>Regards</P></BODY></HTML> Wed, 23 Jul 2008 12:10:23 GMT https://community.cisco.com/t5/network-security/vpn-tunnel-down-due-to-no-traffic/m-p/1030948#M916184 Alan Huseyin Kayahan 2008-07-23T12:10:23Z https://community.cisco.com/t5/network-security/vpn-tunnel-down-due-to-no-traffic/m-p/1030949#M916187 <HTML><HEAD></HEAD><BODY><P>In fact the first thing I checked is to ensure the ACL is still there. Nothing changed on that end, again, as soon as I initiated traffic from site B from that vlan (using an extended ping from the switch), it all came up.</P><P></P><P>I am 100% certain that the config did not change as I am the only person who has access to this equipment. </P><P></P><P></P></BODY></HTML> Wed, 23 Jul 2008 12:14:24 GMT https://community.cisco.com/t5/network-security/vpn-tunnel-down-due-to-no-traffic/m-p/1030949#M916187 ronshuster 2008-07-23T12:14:24Z https://community.cisco.com/t5/network-security/vpn-tunnel-down-due-to-no-traffic/m-p/1030950#M916191 <HTML><HEAD></HEAD><BODY><P> 1) It is a possibility that you may have been running with a missing Interesting traffic statement for months and remote site or a host defined in your Interesting traffic was initiating the traffic but not that particular VLAN.</P><P> 2) Another possibility is, an initiation might have been started by your site first, and an SA negotiation got hung due to x factors, and now whenever your site tries an initiation, that active SA is used for rekeying. Reloading the device or clearing all active isakmp and IPSEC SAs may resolve the issue.</P><P> 3) Last possibility for cases in which one end can initiate but other end cant is isakmp or ipsec security-association lifetime mismatch. Maybe you did not change it but remote and migh have done.</P><P> If you have access to ASDM running syslog, set the ASDM logging level to 5, then try initiating traffic from that VLAN. If you see a single blue line (I cant remember the phrase) that indicates case 2 above. If nothing happens, that means an interesting traffic issue.</P></BODY></HTML> Wed, 23 Jul 2008 12:34:15 GMT https://community.cisco.com/t5/network-security/vpn-tunnel-down-due-to-no-traffic/m-p/1030950#M916191 Alan Huseyin Kayahan 2008-07-23T12:34:15Z