cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
751
Views
0
Helpful
2
Replies

L2L VPN issue between ASA and Juniper

nomair_83
Level 3
Level 3

Hi,

Our client is running L2L vpn between two sites and its works fine but after every 2 to 3 days users are not able to access remote networks so administartor has to manually reset the the tunnel on Juniper side.

Any idea...something wrong with SA life times???

ASA P1 lifetime is 86400 , Phase 2 is 28800 and same on juniper side as well.

Should I configure lesser lifetime or there is fragmentation issue..?

ASA software is

asa805-k8.bin

Thanks..

2 Replies 2

Gustavo Medina
Cisco Employee
Cisco Employee

Hi,

Well you need to find out if the tunnel goes down indeed or if it just stops passing traffic.

when the issue arises get these outputs:

"sh cry isa sa"

clear the ipsec sa counters:

"clear crypto ipsec sa counters"

and get the following output:

"sh cry ipsec sa peer X.X.X.X"

Issue the above command a couple of times to see how the counters are incrementing.

If just the encaps increments and the decaps stay at 0 for that particular SA then the issue is at the remote end on the other hand if it is the opposite then the issue is on the ASA and we might be duplicating ASP entries.

captures would be helpful too so we can see what it's going on with this traffic.

Regards,

Hi Medina,

As per client,, tunnel stays up but communucation between two subnets drop so he has to disconnect and reconnect the tunnel on juniper side.

I will try to get thes outputs.

R/g