08-09-2018 07:06 AM - edited 02-21-2020 08:05 AM
Hi erveryone,
I am currently out of ideas and in a bad situation.
We have around 10 vpn IPsec site-to-site with our clients and our offices for a long time (months or years).
We have also some users remotly connected from their home
For a couple of days, everyday between 10:00 and 15h00 (french time), some of them goes down for few seconds and goes up at the same time. Users and site-to-site.
Many times every day.
My ISP has rebooted the CP.
I have checked many times the difference between tunnels which stays up and those who goes down.
Nothing.
The only things weird is I have "NAT/PAT pool exhausted" in the logs
If I do
show conn count
I got : 3272 in use, 65913 most used
When tunnels goes down, I have his message in the logs :
deny esp reverse path check on interface outside
Any ideas ?
Thanks
G.
08-09-2018 10:03 PM
if the ASA recevies a packet on and interface and the ASA's routing table has that subnet/route on another interface - reverse path checking will drop it.
is suspect you have a routing issue/flaping route, check routingtable first
08-10-2018 05:04 AM
After another reboot of the 2 units (active and standby) no disconnections this morning.
Keep going and cross fingers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide