Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
2
Replies

ASA VPN interruption

peterblersch
Level 1
Level 1

‎02-19-2009 06:51 AM

On a site to site vpn we have interruptions every 1-3 hour lasting for 5-10 seconds.

All applications connecting through this tunnel have to restart.

There are two Riverbeds in the VPN path,

the MTU size is 1380, the tcp options have been set in the global policy.

How can the i debug the ipsec connections to find the reason.

Greetings

Peter

Labels:
0 Helpful
2 Replies 2

ansalaza
Level 1
Level 1

‎02-19-2009 06:56 AM

Please confirm that the Interesting traffic is exactly mirrored on both End Points!

show crypto isakmp sa

show crypto ipsec sa

debug crypto engine

debug crypto isakmp

debug crypto ipsec

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#pix_dbgs

0 Helpful

jason.espino
Level 1
Level 1

‎02-19-2009 11:19 AM

Hello Peter,

The following command will allow you to view debug messages on the ASA for IPsec traffic:

debug crypto ipsec

The debug level would be of your choosing. Higher debug the more information you will see. You can also debug IKAKMP as well.

debug crypto isa

However, if you wish to debug this issue as it happens you would have to wait until it occurs while your debugging on the firewall. I don't think this would be ideal to simply wait until it occurs.

If you want, you could also enable logging to flash on the ASA for the vpn traffic which may provide some information as to why the tunnel went down.

Commands:

logging enable

logging buffer-size OPTIONAL

logging class vpn buffered informational

Has this issue recently appeared or has it been ongoing? Have you changed the time until the phase 1 and phase 2 SA's rekey? Do you know what the remote VPN rekey value is set? The IPsec tunnel will agree upon the lowest values for re-negotiation on the security-associations. What is the remote device your ASA is terminating the VPN tunnel to?

Hope this info helps!

0 Helpful
Customers Also Viewed These Support Documents