07-15-2011 02:26 PM
Hi,
Our client is running L2L vpn between two sites and its works fine but after every 2 to 3 days users are not able to access remote networks so administartor has to manually reset the the tunnel on Juniper side.
Any idea...something wrong with SA life times???
ASA P1 lifetime is 86400 , Phase 2 is 28800 and same on juniper side as well.
Should I configure lesser lifetime or there is fragmentation issue..?
ASA software is
asa805-k8.bin
Thanks..
07-15-2011 09:51 PM
Hi,
Well you need to find out if the tunnel goes down indeed or if it just stops passing traffic.
when the issue arises get these outputs:
"sh cry isa sa"
clear the ipsec sa counters:
"clear crypto ipsec sa counters"
and get the following output:
"sh cry ipsec sa peer X.X.X.X"
Issue the above command a couple of times to see how the counters are incrementing.
If just the encaps increments and the decaps stay at 0 for that particular SA then the issue is at the remote end on the other hand if it is the opposite then the issue is on the ASA and we might be duplicating ASP entries.
captures would be helpful too so we can see what it's going on with this traffic.
Regards,
07-15-2011 11:57 PM
Hi Medina,
As per client,, tunnel stays up but communucation between two subnets drop so he has to disconnect and reconnect the tunnel on juniper side.
I will try to get thes outputs.
R/g
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide