thanks for your reply.
I checked the value of the user_data field against the SPI for working and for faulty connections. But in both cases the user_data value does not match the SPI of the connection.
The "clear crypro ipsec sa inactive" command deletes some SPIs but does not solve the problem.
At the moment the only option is to reboot the ASA, which is a very unsatisfying solution in a productive environment.
But I found another workaround without rebooting the device:
1. Make some changes in the affected Crypto Map, e.g. add a dummy host object.
2. Apply changes; ASA builds a new tunnel to same remote peer
3. At StS Monitoring select the old tunnel (can be identified by the uptime of the tunnel) and press the Logout button
4. Undo the changes in the affected Crypto Map
5. Apply changes; ASA builds a new tunnel to the remote peer again.
6. At StS Monitoring select again the older tunnel and press Logout.
7. Save changes to memory
Now the tunnel wokrs correctly.
... View more
I have disconnected the fan of a 2960-S because it was a little bit too noisy (is laying next to me on a board). Before I created monitoring sensors in PRTG to check the temp. After the weekend I recognized the temp sensor was in warning state (was expecting that) but couriously the fan sensor was still green. I checked out the switch console and the fan sensor shows FAN is OK. So what's going on? Sensor should be faulty or not present. Means to me the fan monitoring is not very helpful (for this type).
Does anyone has figured the same issue or has any helpful information?
... View more
Hello, we have a really strange site to site tunnel issue on several ASAs. We are running VPN tunnels between a small site and three bigger ones. The small office has an ASA 5505, the other three ones are ASA 5510. One of the tunnels is working for months without problems. Each tunnels has several class C network on it. e.g. Site A: - 192.168.50.0/24 (named A1) - 192.168.51.0/24 (named A2) Site B: - 192.168.60.0/24 (named B1) - 192.168.61.0/24 (named B2) On the two faulty tunnels all is fine at the beginning. After a few days (1-14 days) some networks stop working. So I can ping from both networks A1 and A2 the network B1, but only from A2 the network B2. Pings from A1 to B2 will time out. The ASA on site A shows tx=0 traffic for A1 <=> B2, but rx traffic counts up. On ASA B it shows rx=0 for B2<=>A1 and tx counts up. This happens unexpected after different periods. Sometimes it hits ASA on site B, where tx=0, sometimes it is ASA on site A. I tried to fix it following commands: clear crypto isakmp sa clear crypto ipsec sa clear xlate but nothing worked. The only solution at the moment is to reboot the ASA where the tx count shows 0. After reboot all is fine for a while. On one of the affected sites we have an ASA-Failover configuration. A switchover of the active appliance also solves the issue. But if you switch back prior rebooting the former primary the issue will return immediatelly. I think it is no configuration because: - All tunnels are configured the same way, and one of them is running for moths without any issue - The tunnels are working for all subnet combinations after a reboot - The issue occurs after different and long time periods. So I think the period between to failures is to long to be caused by tunnel timeouts a.s.o. All ASA are running 9.1.(5).21. I upgraded the firmware to several releases the last months, and had the same issue with any release I tested. So I hope someone else had also this problem and found a solution.
... View more