cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
21636
Views
0
Helpful
3
Replies
greenberg.j
Beginner

asa# clear ipsec sa peer x.x.x.x - required after outage

We have more than one Cisco ASA 5500 series firewall appliance that exhibits this same unstable behavior.  This leads me to believe that there is a configuration problem somewhere.   After an internet outage occurs, the Cisco ASA requires certain site to site VPN tunnels to be reset , by clearing the security association.    After the following is entered, everything starts working fine again. 

asa# clear ipsec sa peer <remote peer ip>

Can anyone recommend a solution or direction?

Thanks,

Jay

3 REPLIES 3
ajay chauhan
Rising star

  securityappliance(config)# tunnel-group 10.165.205.222  ipsec-attributes

  securityappliance(config-tunnel-ipsec)#isakmp keepalive  threshold 15 retry 10

configure this way and see if makes any diffrence .

Thanks

Ajay

Before I can make a change to the production environment, i must justify the decision.   For a site-to-site VPN, can you explain to me the logic of increasing the threshold & retry ?  How should this help the SA reestablish after a failure ?

From the Cisco Documentation:

The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.

For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.

Not sure if you've already got an answer but if one of the IPSEC peers drops unexpectedly due to a crash etc., other peer must be rebooted in order to form a new SA. Unless you let the IPSEC timer expire and form a new SA eventually.

Create
Recognize Your Peers
Content for Community-Ad