Site to Site VPN

sgalarza · ‎06-14-2018

We currently have a client that is having issues with intermittent connectivity through one of our tunnels. We have a 2911 router going to the clients ASA 5510, I'm not sure what code they are running on their ASA. The way our setup is, we have to initiate traffic to the client to bring up the tunnel, when the client has the connectivity issue they call us and we attempt to bring up the tunnel, only after a few attempts will the tunnel come back up and pass traffic. Neither side has made any changes, nor were any changes made during the troubleshooting. Is this a keep-alive setting messing with things when re-keying happens or is it something more than than. I apologize for the lack of information on the client side. Any ideas would help.

Rob Ingram · ‎06-14-2018

Hi,
Can you provide the output from "show crypto isakmp sa detail" and the running-configuration of your router please?

sgalarza · ‎06-14-2018

I'd love to but unfortunately due to security measures I can't post any of our information online. We provide financial solutions for FI's, therefore everything is sensitive material. We have roughly 150 clients on this device, all are setup exactly the same, we send out forms so that they can match our settings and then we plug their information into a template. The issue is on the client side, unfortunately they don't have the support to find the root cause. What exactly would you be looking for in our config? I can provide the isakmp sa output minus IP's. I'm just looking for ideas or hunches as what could be the issue.

Rob Ingram · ‎06-14-2018

Perhaps the SA lifetime expires, which is causing the issues. Do you know if the ASA has keepalives (dpd) enabled?