Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
5
Helpful
1
Replies

Cisco ASA5585x

Go to solution
swhitworth
Level 1
Level 1

‎08-15-2017 12:56 AM

We have a 3rd party remotely monitoring our Netscalers via their management interface on ip addresses 172.30.0.51 and 172.30.0.52.  This monitoring is completed via a site to site vpn between our ASA 5585's and their peer device. 

Approximately once a week (various days, times) the 3rd party will report that our Netscalers are down because they have not received a ping reply for at least 5 mins. However, the devices are not down and any internal pings to the devices appear ok. A diagram is attached.

Is it possible that our ASA's are causing a delay in the echo reply ?  Is there any monitoring we can perform on the VPN to check the traffic ?

Labels:
Preview file
292 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammad Alhyari
Cisco Employee
Cisco Employee

‎08-15-2017 05:51 AM

You can enable the following on the ASA to see if the tunnel was down at the time of the issue:
1- Get the debugs at the time of the issue 

debug cry isa 128 
debug cry ipsec 128

use a syslog server if possible.

2- Run an IP SLA from the inside of your network to the remote end to ensure that the tunnel is not going down at the time of the issue.

3- the most important thing is to check the logs for the timestamp of the last incident and see what happened there. So the question is are you using a syslog server ?

Moh,

View solution in original post

1 Reply 1

Go to solution
Mohammad Alhyari
Cisco Employee
Cisco Employee

‎08-15-2017 05:51 AM

You can enable the following on the ASA to see if the tunnel was down at the time of the issue:
1- Get the debugs at the time of the issue 

debug cry isa 128 
debug cry ipsec 128

use a syslog server if possible.

2- Run an IP SLA from the inside of your network to the remote end to ensure that the tunnel is not going down at the time of the issue.

3- the most important thing is to check the logs for the timestamp of the last incident and see what happened there. So the question is are you using a syslog server ?

Moh,

Customers Also Viewed These Support Documents