Re: asa# clear ipsec sa peer x.x.x.x - required after outage

greenberg.j · ‎12-28-2011

We have more than one Cisco ASA 5500 series firewall appliance that exhibits this same unstable behavior. This leads me to believe that there is a configuration problem somewhere. After an internet outage occurs, the Cisco ASA requires certain site to site VPN tunnels to be reset , by clearing the security association. After the following is entered, everything starts working fine again.

asa# clear ipsec sa peer <remote peer ip>

Can anyone recommend a solution or direction?

Thanks,

Jay

ajay chauhan · ‎12-28-2011

securityappliance(config)# tunnel-group 10.165.205.222 ipsec-attributes

securityappliance(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10

configure this way and see if makes any diffrence .

Thanks

Ajay

greenberg.j · ‎12-28-2011

Before I can make a change to the production environment, i must justify the decision. For a site-to-site VPN, can you explain to me the logic of increasing the threshold & retry ? How should this help the SA reestablish after a failure ?

From the Cisco Documentation:

The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.

For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.

Ricky S · ‎02-05-2013

Not sure if you've already got an answer but if one of the IPSEC peers drops unexpectedly due to a crash etc., other peer must be rebooted in order to form a new SA. Unless you let the IPSEC timer expire and form a new SA eventually.