08-03-2009 05:17 AM - edited 03-11-2019 09:01 AM
Hello,
I have configured a L2L tunnell between two ASA5505 running version 7.2(4) and I have this strange problem:
the tunnel is up and stable and I route 4 networks over the tunnel but every 2-3 days the tunnel stops forwarding traffic on one of the four networks (never the same network) and the only way to recover is to issue a:
clear ipsec sa on one of the two ASAs.
Looking at the ipsec counters when I have the problem I see that packets are sent but they are never received on the other end....
Does anybody have a clue on what is happening?
I have installed tens of ASAs and only these two are giving me this problem.
BTW both ASA use the same Internet provider...
thanks in advance and regards
Giovanni
08-03-2009 07:07 PM
I would suggest that you set up some type of VPN-specific logging to see what's going on when the problem occurs.
The following will enable VPN logging in the firewall buffer:
logging enable
logging buffer-size 4096
logging class vpn buffered informational
The following will send VPN messages to a server behind the firewall:
logging enable
logging timestamp
logging list vpn-list level debugging class vpn
logging trap vpn-list
logging host inside x.x.x.x
08-04-2009 12:09 AM
Thanks,
I added the logging commands and I'll see what happens: basically I have this problem every 16-17 hours.
Giovanni
08-05-2009 06:18 AM
Hello,
this morning I had the same problem: the tunnel was up since a day.
I have two ASA5505 one in the main office and one in a remote office.
Over the vpn tunnel I route two clabb B networks: 139.128.0.0/16 and 151.92.0.0/16.
From the attached logs I see that at 15:30 the ASa at the remote office successfully starts a new connection for 151.92.0.0/16 and nothing is done for net 139.128.0.0.
The result is that data for 151.92.0.0 is ok but no data is passing for 139.128.0.0. The ipsec SA is up but no data is received on both end..... and the only way to resume activity was to issue a "clear ipsec sa".
Any help would be highly appreciated as I'm really lost with this problem.
thanks in advance
Giovanni
09-11-2009 04:13 AM
Hi Giovanni, I have the same problem with some clients.
The tunnel is up for some time.. and sometime the tunnel stop forwarding traffic and I need to clear ipsec end isakmp sa. The tunnel is still UP but it can't pass any traffic before I "reset" the tunnel.
Do you have any idea in how to solve this this problem? Seems to be a bug.
Best Regards,
Fabio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide