Solved: Thanks for your prompt reply.

vishnureddy1979 · ‎03-03-2016

Hello,

I have site to site tunnel between 2 ASAs. One ASA is behind the university and other is at our datacenter. Unversity provides us the Internet services and they have the ASA which controls the incoming traffic. We used to have tunnel issues where the stale SAs were inactive and deleted at the datacenter due to inactivity timeout or some other reasons not known. Later found out that ASA9.1.5 behind the university had the bug for not deleting the stale entries. After downgrading the code to 8.4.6 version we are not seeing any issues. And its working as normal. Unversity guy said he added some ACLS on the outside interface to allow our Datacenter IP to pass the VPN traffic.

https://quickview.cloudapps.cisco.com/quickview/bug/CSCup37416

My Question even before adding those acls the tunnels were working but were not deleting the stale entries. I think after upgrade it became stable. Unversity guys says after adding the ACL it may have stablized the issue.

Could anyone can highlight here what was going on?

Thanks in advance.

Aditya Ganjoo · ‎03-03-2016

Hi Vishnu,

Adding ACL's on the outside interface does not have any relation with the ASP table entries for the VPN traffic.

The ASP duplicate entries are caused for crypto ACL's and the interesting traffic.

The ASP table will show duplicate ASP entries and traffic is hitting an ASP entry
that is stale and the traffic for particular SA is blackholed which leads to disruption of VPN traffic.

It has no link with the interface ACL's.

Hope it answers your query.

Regards,

Aditya

Please rate helpful posts.

View solution in original post

Aditya Ganjoo · ‎03-03-2016