Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2764
Views
0
Helpful
3
Replies

vpn site to site connectivity problem after it works fine

amralrazzaz
Level 5
Level 5

‎02-02-2019 04:39 PM - edited ‎02-21-2020 08:44 AM

hi all 

 

i have Cisco ASA5516-X and already configured site to site vpn ? once i deploy the connection working fine and i can reach the remote hosts but after sometimes it stop working by it self after checking same day at night ..

 

my question is do i have to check the windows firewall maybe its blocking something ?

what can cause this problem my side or the other side ?

is there is any policy that control the timing of accessing vpn connection ?

 

im the remote branch site and try to connect main head office 

 

need ideas of trouble shoot or what can cause this problem ?

 

 

amr alrazzaz
0 Helpful
3 Replies 3

Chewbakka1
Level 1
Level 1

‎02-03-2019 03:52 AM

The ipsec tunnel will be established if there is data to be sent.

Is the tunnel configured as bidirectional?

0 Helpful

Rob Ingram
VIP
VIP

‎02-03-2019 04:00 AM

The IKEv1/IKEv2 and IPSec SA's all have configured lifetime timers. You can determine these using the commands:-

 

show vpn-sessiondb detailed l2l

show crypto ipsec sa

 

These do expire if no interesting traffic has been sent over the VPN tunnel, in which case you would just need to intiate traffic for the tunnel to be re-established.

 

Dead Peer Detection (DPD) might be useful to be configured, reference here.

 

HTH

0 Helpful

Marius Gunnerud
VIP
VIP

‎02-03-2019 11:50 AM

As mentioned above, if no "interesting" traffic is sent over the VPN the tunnel will teardown.  You can increase the lifetime of ISAKMP and IPsec, and set vpn-idle-timeout none under the group policy assigned to the site to site VPN. However, if a rekey happens during a period when there is no traffic crossing the VPN, the tunnel will be still torn down.

The better option is to have your monitoring device at the HQ office send periodic ping / connectivity checks to the inside IP of the ASA.  For this to work you need to have management-access <interface name that you are pinging> configured on your ASA.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card