Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1295
Views
0
Helpful
1
Replies

IPSec VPN tunnel does not tear down both ends

bgl-group
Level 1
Level 1

‎09-21-2011 08:13 AM - edited ‎02-21-2020 05:36 PM

Hi,

I have an IPSec VPN between two internet facing firewalls. This is used for Netscaler status messages only. Every now and then the VPN terminates for no apparent reason on one side but remains active on the other. When I logout the active one, the VPN establishes as normal.

I thought once one end of an IPSec VPN termintated the other end would terminate too. Has anyone had a similar experience and if so how do i fix it.

I'm using ASA5520 with ASA Version 8.3(2) at both ends.

Thanks

Stewart

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎09-29-2011 01:38 AM

Strange, even if the tunnel goes down, isakmp keepalives should kick in and tear it down on the other end (and cause it to be re-established).

I suggest getting

debug crypto isakmp 10

debug crypto ipsec 10

on both sides, and starting it *before* the tunnel goes down, then check the part that corresponds to the time the tunnel fails. Hopefully that will tell you (or us) more about the reason of the failure, and why it is not coming up again.

hth

Herbert

0 Helpful
Customers Also Viewed These Support Documents