Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
5
Replies

Phase-2 Disconnecting

Go to solution
Imran Ahmad
Level 2
Level 2

‎09-15-2015 11:32 PM

Hello,

I have established VPN site-site between 2 ASAs Branch-to-HQ.  the issue is every morning time while both sites Turn-On their ASA devices, the Tunnel does not come up unless I run the following commands on HQ-ASA.

 

 

no crypto map tobranch interface outside

crypto map tobranch interface outside

 

Please instruct what is the issue ?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pjain2
Cisco Employee
Cisco Employee
In response to Imran Ahmad

‎10-07-2015 11:10 PM

the DPD's are getting lost on some device in the middle and that is what you need to check for

View solution in original post

0 Helpful
5 Replies 5

Go to solution
pjain2
Cisco Employee
Cisco Employee

‎09-21-2015 08:24 PM

does any of the sides try and initiate traffic to the remote end?

when the issue occurs next, initiate traffic from behind one ASA and collect the below outputs from both the ends simultaneously:

debug crypto condition peer <peer ip>

debug crypto isakmp 127

debug crypto ipsec 127

 

0 Helpful

Go to solution
Imran Ahmad
Level 2
Level 2
In response to pjain2

‎10-07-2015 03:25 AM

Hello pjain,

Please find attached the debugging output

Preview file
39 KB
0 Helpful

Go to solution
pjain2
Cisco Employee
Cisco Employee
In response to Imran Ahmad

‎10-07-2015 05:23 PM

in the debugs, i see phase 1 getting completed but then getting deleted with the reason:

IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

it means that the ASA did not receive DPD packets back from the remote peer.

can you check if your internet connection is stable while the ASA's try to bring up the tunnel by doing the ping between public ip's of both the ASA's during the time of the issue

0 Helpful

Go to solution
Imran Ahmad
Level 2
Level 2
In response to pjain2

‎10-07-2015 10:39 PM

there is no issue with internet connectivity, I can see 99.5% uptime.   there is onething else I want to mention.  my central office ASA has a private IP-Address (for its outside-interface),  so the ip (180.94.83.10) is the nated public ip-address of my Router connecting to internet. I have statically nated that ip (180.94.83.10) to my ASA Outside ip.     That is no causing the issue,, but I just wanted to let you know that I have this type of configuration.

 

Where the problem is, I am also stuck on it.     I contacted the ISP regarding the issue, they say there is no issue at our end.   but wat I m thinking is that the ISP at the remote sites are doing LINK-LOAD BALANCING , which I think that causes this vpn tunnel to get lost.   still not sure

 

 

 

0 Helpful

Go to solution
pjain2
Cisco Employee
Cisco Employee
In response to Imran Ahmad

‎10-07-2015 11:10 PM

the DPD's are getting lost on some device in the middle and that is what you need to check for

0 Helpful
Customers Also Viewed These Support Documents