03-07-2022 11:52 AM - edited 04-06-2022 08:17 AM
IPSEC VPN when drops it doesnt recover automatically on ASA5508
03-07-2022 11:58 AM
@mze do you have dead peer detection (dpd) keepalives configured on both ends? This will clear the stale IPSec SAs.
Are you using IKEv1 and are the lifetimes identical?
03-07-2022 12:12 PM - edited 04-06-2022 08:17 AM
thank you for quick response , I see below configration of the IPSEC , I dont see any DPD configration is there command for this .
03-07-2022 12:15 PM
@mze refer to this link for the command.
https://community.cisco.com/t5/security-documents/dead-peer-detection/ta-p/3111324
You need to ensure DPD is configured on both devices.
03-08-2022 08:00 AM
DPD is configured , but tunnel doesn't come up untill I clear it .
03-07-2022 01:19 PM
what is other Peer FW? is it ASA also ?
03-08-2022 01:19 AM
YES both are ASA5508
03-08-2022 09:21 AM
are one of peer use the default group-policy?
config idle-timeout/Session-timeout to be none for group-policy in bothtry this way.
03-09-2022 09:13 AM - edited 05-02-2022 03:33 AM
thanks
03-09-2022 10:08 AM - edited 03-09-2022 10:17 AM
can you share the config for both peer ? you don't mention in your post that you use IKEv2, anywaycrypto map outside_map 1 set pfs group5<- check this command are enter on both peer. try and monitor the tunnel status.
03-09-2022 02:33 PM - edited 05-02-2022 03:34 AM
03-09-2022 03:21 PM
ASA UKcrypto ipsec profile ... set ikev2 ipse-proposal .... set pfs group24 responder-only <- this need
ASA AU
crypto ipsec profile ... set ikev2 ipse-proposal .... set pfs group24try the above config other config is OK.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Log in to Community
