ASA5510/SSG520 VPN Phase1 renegotiation problem

martinmadsen · ‎01-24-2012

Hey,

I have a problem with multiple VPN tunnels that I cannot figure out.

I have a IPSEC site-to-site vpn between a Cisco ASA5510 and a Juniper SSG520.

The VPN is up and running as expected exept when Phase 1 needs to be renegotiated.

When that happends (Every 24 hour) the Citrix clients looses connection to the Citrix server and the Outlook clients are reporting "Offline"

I have setup some ping jobs that shows that only 1 packet is lost during the Phase 1 renegotiation.

The users can connect to the servers afterwards without any problems but they are anoyed by this.

I have updated both firewalls to the newest firmware release without any luck.

Anyone have a clue as to how to get this fixed.

Before we changed to the ASA5510 we were using a Watchguard X700 firewall and what didn't have this problem.

Hope someone can shed some light on this.

Best Ragards

Martin

rizwanr74 · ‎01-24-2012

Hey

by default phase one is valid for 24hrs.

Check when tunnel comes up which particular phase-one parameters are exchange and create a deplicate of that particular policy with a lifetime value of zero and same policy must exists on other side of the tunnel.

Try if that helps.

thanks

martinmadsen · ‎01-24-2012

Thanks for your answer. I believe it isn't possible to create a Phase 1 that is unlimited in time and amount of data. At least ASDM tells me this isn't possible, I guess this is a safety precaution.

Anyway if I need to do some debugging on the ASA, what elements should I enable debugging on?

Thanks