I have got an IPSEC VPN setup between 2 PIX 501's. The PIX's have recipricol interesting traffic ACL's.

Site A protects 3 subnets and Site B protects 1. All the tunnels come up ok and data passing

is fine. However, there is one strange problem. Every morning, after an evening of less activity,

- Site B devices would fail to see (eg. ping) devices at Site A, with a few exceptions. For example

one device at site A is always ping'able irrespectively of the ping-status of others. This device

may be a MS domain controller which performs AD replication overnight

- what's even stranger is that if I were to initiate a ping from an un-ping'able device from site

A to a device at site B, all connectivity is restored over a few seconds to a minute.

- During this time, there is no new ISAKMP or IPSEC SA's negotiated. Therefore this is probably not

due to timeout values. I've got ISAKMP timeout set at 86400 sec and IPSEC set at 10000kB/86400sec

- Sometimes, I observe 2 outbound and inbound ESP SA's for the same IP flow (subnet to subnet) with

both having ample time and kb left. Is this normal?

Both PIX's have really simple configuration.

Note also that site B PIX has another VPN tunnel to somewhere else, and it is NOT experiencing any

problems. Both PIX's are running 6.3(4) and have been rebooted.

Thanks in advance for any help.

Lei