Solved: IPSEC interoperability between PAN and Cisco 5510 ASA

lawrenceanggimyam · ‎04-24-2017

Hi,

We have a Site A with Palo Alto (PAN) Firewall and Site B with Cisco ASA 5510. IPsec tunnel is built between these 2 sites.

In certain occasions, we have ISP B network up, but the users are experiencing no internet in Site B. As it is only a single link, the only way we did is to reboot the ASA appliance and the users are able to access internet again.

On the PAN firewall side, there is a constant ping and monitoring (DPD) to the ASA. Applications like outlook and AD servers are constantly exchanging/syncing AD information, etc. it looks like there is no VPN idle timeout for traffic traversing across the vpn tunnel.

I am confused and curious to know what is happening during these period of internet outage experienced by users at Site B, ASA Firewall as its default gateway to internet.

Is there any related case happening like this before ?

Regards

Lawrence

Mohammed al Baqari · ‎04-24-2017

Hi,

Try to send information syslogs to syslog server in addition to the the recommendation from Singh. This might give an indication of what is happening.

The best you can do is to get console access over 3G/4G/xDSL internet during the outage to see what is wrong with the ASA.

View solution in original post

singhkulbir29881 · ‎04-24-2017

Hi Lawrence,

Have you monitored the CPU and memory utilization of ASA during internet outage?

Mohammed al Baqari · ‎04-24-2017

Hi,

Try to send information syslogs to syslog server in addition to the the recommendation from Singh. This might give an indication of what is happening.

The best you can do is to get console access over 3G/4G/xDSL internet during the outage to see what is wrong with the ASA.