Hi everyone.I have a problem: 2 asa 5512-x in failover and dualwan mode. 5512 has 15 IPSec tunnels are configured with asa 5505 and 1 with routerboard(mikrotik) for testing. Software version on 5512x asa912-smp-k8.bin, and 5505 asa901-k8.bin. There is a periodic break of all connections (when working through asdm i see message that lost connection with the module firewall) and break off all tunnels and recreated , anyconnect too. Transport level stops before recovery(icmp lost). Limits on time and traffic is unlimited(from 5512). The drops begin at the beginning of the working day, but at night tunnels stability and work around 15 hours . It happen randomly about once an hour, sometimes 1.5 hours , sometimes every 30 minutes. Breaks off as well connection to routerboard. It was noted that the breaks coincide with the surge of scanning attacks , but the counters do not reach the stated thresholds. Asa 5512 is not have high loaded. Anyone had similar problems? Maybe updating the SOFTWARE will solve the problem. Thanks

Is a part of ipsec config from 5512:

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Radius protocol radius
interim-accounting-update
reactivation-mode depletion deadtime 5
max-failed-attempts 1

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set sha-3des esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime kilobytes unlimited
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-A ES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-
3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes unlimited
crypto map ISP1_map 1 match address ISP1_cryptomap_12
crypto map ISP1_map 1 set peer 1.1.1.1
crypto map ISP1_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ES P-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
crypto map ISP1_map 1 set security-association lifetime kilobytes unlimited
crypto map ISP1_map 2 match address ISP1_cryptomap_1
crypto map ISP1_map 2 set peer 2.2.2.2
crypto map ISP1_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ES P-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
crypto map ISP1_map 2 set security-association lifetime kilobytes unlimited
crypto map ISP1_map 3 match address ISP1_cryptomap_2
crypto map ISP1_map 3 set peer 3.3.3.3
crypto map ISP1_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ES P-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
crypto map ISP1_map 3 set security-association lifetime kilobytes unlimited
crypto map ISP1_map 4 match address ISP1_cryptomap_3
crypto map ISP1_map 4 set peer 185.77.242.78
crypto map ISP1_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ES P-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
crypto map ISP1_map 4 set security-association lifetime kilobytes unlimited

crypto map ISP1_map 14 match address ISP1_cryptomap_14
crypto map ISP1_map 14 set peer 14.14.14.14
crypto map ISP1_map 14 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA E SP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-
SHA ESP-DES-MD5
crypto map ISP1_map 14 set security-association lifetime kilobytes unlimited
crypto map ISP1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ISP1_map interface ISP1
crypto map ISP1_map interface ISP2
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=R1
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca ...
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate ...

quit
crypto isakmp disconnect-notify
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable ISP1
crypto ikev2 enable ISP2
crypto ikev1 enable ISP1
crypto ikev1 enable ISP2
crypto ikev1 limit max-in-negotiation-sa 30
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 160
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 170
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
!

no threat-detection basic-threat
threat-detection statistics host
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 111
webvpn
port 443
enable ISP1
enable ISP2
dtls port 443
anyconnect-essentials
anyconnect image disk0:/
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy GroupPolicy_Remote_VPN internal
group-policy GroupPolicy_Remote_VPN attributes
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-ACL-Rvpn
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_2.2.2.2internal
group-policy GroupPolicy_2.2.2.2 attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1

vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1

tunnel-group Remote_VPN type remote-access
tunnel-group Remote_VPN general-attributes
address-pool Remote_VPN
authentication-server-group Radius1 LOCAL
default-group-policy GroupPolicy_Remote_VPN
tunnel-group Remote_VPN webvpn-attributes
group-alias Remote_VPN enable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous

: end