cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22255
Views
0
Helpful
3
Replies

asa# clear ipsec sa peer x.x.x.x - required after outage

greenberg.j
Level 1
Level 1

We have more than one Cisco ASA 5500 series firewall appliance that exhibits this same unstable behavior.  This leads me to believe that there is a configuration problem somewhere.   After an internet outage occurs, the Cisco ASA requires certain site to site VPN tunnels to be reset , by clearing the security association.    After the following is entered, everything starts working fine again. 

asa# clear ipsec sa peer <remote peer ip>

Can anyone recommend a solution or direction?

Thanks,

Jay

3 Replies 3

ajay chauhan
Level 7
Level 7

  securityappliance(config)# tunnel-group 10.165.205.222  ipsec-attributes

  securityappliance(config-tunnel-ipsec)#isakmp keepalive  threshold 15 retry 10

configure this way and see if makes any diffrence .

Thanks

Ajay

Before I can make a change to the production environment, i must justify the decision.   For a site-to-site VPN, can you explain to me the logic of increasing the threshold & retry ?  How should this help the SA reestablish after a failure ?

From the Cisco Documentation:

The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.

For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.

Not sure if you've already got an answer but if one of the IPSEC peers drops unexpectedly due to a crash etc., other peer must be rebooted in order to form a new SA. Unless you let the IPSEC timer expire and form a new SA eventually.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: