I have a strange problem here. We have a site to site vpn from a branch office to our head office. In the branch office we use a Cisco ASA 5510 9.1 (3) and in the head office we use a Cisco ASA 5516 9.6 (1). We have some networks here which go trough the tunnel. Three are normal networks and one is the DMZ. Since a couple weeks we have a problem with the DMZ part of the tunnel. The branch office can't connect to DMZ servers in the head office. When I do a ping from the branch server to a DMZ server I get a request time out. If I do a ping from a DMZ server to the branch office server the first ping has a timeout and then it goes in to the tunnel and give replies. The other networks that go trough the tunnel don't have this issue. I have seen in other post's something about sysopt connection preserve-vpn-flows. Both ASA units already have this configured.
Has anyone seen this behavior before?
I have made an temporary fix for this on the DMZ server to start a ping every 10 minutes to the branch office server to keep this network part of the VPN open.
Agree that this sounds like a lifetime mismatch between the two sides.
For the lifetime settings would need to see the crypto map configuration and the tunnel-group configuration of both sides of the VPN. Would also be good to see the show crypto ipsec sa peer xxx.xxx.xxx.xxx (where xxx.... is the IP address of the remote VPN peer).