12-28-2011 09:18 AM - edited 02-21-2020 05:47 PM
We have more than one Cisco ASA 5500 series firewall appliance that exhibits this same unstable behavior. This leads me to believe that there is a configuration problem somewhere. After an internet outage occurs, the Cisco ASA requires certain site to site VPN tunnels to be reset , by clearing the security association. After the following is entered, everything starts working fine again.
asa# clear ipsec sa peer <remote peer ip>
Can anyone recommend a solution or direction?
Thanks,
Jay
12-28-2011 09:56 AM
securityappliance(config)# tunnel-group 10.165.205.222 ipsec-attributes
securityappliance(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10
configure this way and see if makes any diffrence .
Thanks
Ajay
12-28-2011 10:15 AM
Before I can make a change to the production environment, i must justify the decision. For a site-to-site VPN, can you explain to me the logic of increasing the threshold & retry ? How should this help the SA reestablish after a failure ?
From the Cisco Documentation:
The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.
For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.
02-05-2013 09:45 AM
Not sure if you've already got an answer but if one of the IPSEC peers drops unexpectedly due to a crash etc., other peer must be rebooted in order to form a new SA. Unless you let the IPSEC timer expire and form a new SA eventually.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: