02-19-2009 06:51 AM
On a site to site vpn we have interruptions every 1-3 hour lasting for 5-10 seconds.
All applications connecting through this tunnel have to restart.
There are two Riverbeds in the VPN path,
the MTU size is 1380, the tcp options have been set in the global policy.
How can the i debug the ipsec connections to find the reason.
Greetings
Peter
02-19-2009 06:56 AM
Please confirm that the Interesting traffic is exactly mirrored on both End Points!
show crypto isakmp sa
show crypto ipsec sa
debug crypto engine
debug crypto isakmp
debug crypto ipsec
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#pix_dbgs
02-19-2009 11:19 AM
Hello Peter,
The following command will allow you to view debug messages on the ASA for IPsec traffic:
debug crypto ipsec
The debug level would be of your choosing. Higher debug the more information you will see. You can also debug IKAKMP as well.
debug crypto isa
However, if you wish to debug this issue as it happens you would have to wait until it occurs while your debugging on the firewall. I don't think this would be ideal to simply wait until it occurs.
If you want, you could also enable logging to flash on the ASA for the vpn traffic which may provide some information as to why the tunnel went down.
Commands:
logging enable
logging buffer-size
logging class vpn buffered informational
Has this issue recently appeared or has it been ongoing? Have you changed the time until the phase 1 and phase 2 SA's rekey? Do you know what the remote VPN rekey value is set? The IPsec tunnel will agree upon the lowest values for re-negotiation on the security-associations. What is the remote device your ASA is terminating the VPN tunnel to?
Hope this info helps!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide