cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


285
Views
0
Helpful
3
Replies
Beginner

ASA Site to Site VPN network dropping.

Hi,

 

I have a strange problem here. We have a site to site vpn from a branch office to our head office. In the branch office we use a Cisco ASA 5510 9.1 (3) and in the head office we use a Cisco ASA 5516 9.6 (1). We have some networks here which go trough the tunnel. Three are normal networks and one is the DMZ. Since a couple weeks we have a problem with the DMZ part of the tunnel. The branch office can't connect to DMZ servers in the head office. When I do a ping from the branch server to a DMZ server I get a request time out. If I do a ping from a DMZ server to the branch office server the first ping has a timeout and then it goes in to the tunnel and give replies. The other networks that go trough the tunnel don't have this issue. I have seen in other post's something about sysopt connection preserve-vpn-flows. Both ASA units already have this configured. 

 

Has anyone seen this behavior before?

 

I have made an temporary fix for this on the DMZ server to start a ping every 10 minutes to the branch office server to keep this network part of the VPN open. 

3 REPLIES 3
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA Site to Site VPN network dropping.

Hi,
It sounds like the tunnel lifetime timers expires clearing the IPSec SAs between the DMZ network and the Branch's, which is normal if no traffic is sent or received. As to why the tunnel can only be brought up only when traffic is initiated from the DMZ this could be because the VPN on the branch could be configured to respond/answer only rather than initiate. If you could provide the configure of both devices we should be able to determine the cause.

HTH
Beginner

Re: ASA Site to Site VPN network dropping.

Hi,

Which section of the config do you need.

Regards.
Highlighted
VIP Advocate

Re: ASA Site to Site VPN network dropping.

Agree that this sounds like a lifetime mismatch between the two sides.

For the lifetime settings would need to see the crypto map configuration and the tunnel-group configuration of both sides of the VPN.  Would also be good to see the show crypto ipsec sa peer xxx.xxx.xxx.xxx (where xxx.... is the IP address of the remote VPN peer).

--
Please remember to rate and select a correct answer