Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
0
Helpful
2
Replies

ASA5510/SSG520 VPN Phase1 renegotiation problem

martinmadsen
Level 1
Level 1

‎01-24-2012 07:22 AM

Hey,

I have a problem with multiple VPN tunnels that I cannot figure out.

I have a IPSEC site-to-site vpn between a Cisco ASA5510 and a Juniper SSG520.

The VPN is up and running as expected exept when Phase 1 needs to be renegotiated.

When that happends (Every 24 hour) the Citrix clients looses connection to the Citrix server and the Outlook clients are reporting "Offline"

I have setup some ping jobs that shows that only 1 packet is lost during the Phase 1 renegotiation.

The users can connect to the servers afterwards without any problems but they are anoyed by this.

I have updated both firewalls to the newest firmware release without any luck.

Anyone have a clue as to how to get this fixed.

Before we changed to the ASA5510 we were using a Watchguard X700 firewall and what didn't have this problem.

Hope someone can shed some light on this.

Best Ragards

Martin

Labels:
0 Helpful
2 Replies 2

rizwanr74
Level 7
Level 7

‎01-24-2012 07:51 AM

Hey

by default phase one is valid for 24hrs.

Check when tunnel comes up which particular phase-one parameters are exchange and create a deplicate of that particular policy with a lifetime value of zero and same policy must exists on other side of the tunnel.

Try if that helps.

thanks

0 Helpful

martinmadsen
Level 1
Level 1
In response to rizwanr74

‎01-24-2012 11:55 PM

Thanks for your answer. I believe it isn't possible to create a Phase 1 that is unlimited in time and amount of data. At least ASDM tells me this isn't possible, I guess this is a safety precaution.

Anyway if I need to do some debugging on the ASA, what elements should I enable debugging on?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents