cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1835
Views
0
Helpful
3
Replies

How to determine cause of ipsec tunnel dropping on ASA 5510

jessica jestol
Level 1
Level 1

Is there any easy way to determine the cause of an ipsec l2l VPN tunnel dropping on an asa 5510? I have logging enabled but, the buffer gets filled up so fast, I can't find anything when it's 24 hours later. I'm working on getting a syslog server/aggregator setup but... until it's complete I need a temporary measure. Suggestions?

1 Accepted Solution

Accepted Solutions

Mohammad Alhyari
Cisco Employee
Cisco Employee

Hi Jessica.

 

For the buffered limit you can try :

Increase the buffer size to the max.

limit the logs to the vpn class:

Logging class vpn buffered debugging. 

 

On the other hand you can try the debugs :

Debug crypto condition peer peer_address

debug cry isa 128

debug cry ipsec 128

If you lose the ssh session the debugs will be disabled.  Finally for the vpn tunnels usually it goes down due to :

Idle timeout

dead peer detection 

delete from other end.

 

HTH.

View solution in original post

3 Replies 3

Mohammad Alhyari
Cisco Employee
Cisco Employee

Hi Jessica.

 

For the buffered limit you can try :

Increase the buffer size to the max.

limit the logs to the vpn class:

Logging class vpn buffered debugging. 

 

On the other hand you can try the debugs :

Debug crypto condition peer peer_address

debug cry isa 128

debug cry ipsec 128

If you lose the ssh session the debugs will be disabled.  Finally for the vpn tunnels usually it goes down due to :

Idle timeout

dead peer detection 

delete from other end.

 

HTH.

I can't use the debugs because the drop is intermittently occurring anywhere from 1-5 days apart...

@Mohammad Alhyari  - Do you have any response to this ticket reply?