Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
2
Replies

Another L2L issue with ASA

n_parshina
Level 1
Level 1

‎10-08-2008 01:52 AM

Looking through similar posts, I have not found a solution for this particular problem:

I have a remote location with 857 and (C850-ADVSECURITYK9-M), Version 12.4(6)T5 and a CO location with 5520 and Software Version 7.1(2) connected through the Internet by IPSec tunnels.

ACLs that define interesting traffic on both sides include 3 subnets that should be accessible behind ASA's inside interface: 172.16.0.0/16 192.168.105.0/24 and 192.168.3.0/24

The configs are included in attachments. The whole thing works, network behind the remote 857 sees the 3 subnets in CO and vice versa, until at some point ASA decides that it does not like one of the defined subnets and starts tearing down connections between it and the remote network. For example, today it decided it no longer likes connections between 192.168.223.0 (remote) and 192.168.105.0 (behind inside interface) networks, while the connections to 172.16.0.0 and 192.168.3.0 keep working fine. That's after a year of normal operation.

We've had such an issue at several remote locations already and it comes down to no matter what you do - kill SAs, remove and rebuild crypto maps, reload the remote end.. nothing helps until you reload the ASA. You reload the ASA and whoom! it works again. All networks defined are allowed to pass.

Since the communication is business critical, I would very much like to solve the problem without having to reload the central ASA every time it suddenly decides to stop passing traffic between one of the 3 critical subnets and a remote network.

I'd like to note that, overall, the configs work fine. At times when the ASA starts dropping networks, no new access-lists or configurations are added to it.

Labels:
Preview file
2 KB
Preview file
1 KB
0 Helpful
2 Replies 2

mike_guy29
Level 1
Level 1

‎10-08-2008 06:48 AM

Is the ASA device part of a failover pair?

The only reason I ask is because I had a lot of strange problems happen after my primary active ASA had failed over to the secondary standby. I didn't notice and for a while it was the secondary one that was running as active. I had a lot of strange problems with VPNs and once I had reverted the devices back to the correct setup they went away.

Thanks

0 Helpful

n_parshina
Level 1
Level 1
In response to mike_guy29

‎10-08-2008 07:30 PM

No, it is not...

Thank you for replying

0 Helpful
Customers Also Viewed These Support Documents