S2S VPN ISSUE

Madhan Kumar · ‎02-07-2013

Hi Team,

In our organization we are facing a peculiar issue. We have nearly 20 S2S vpn tunnels in our ASA 5520 box. Many times users are compalining that they are unable to reach the destination. Post toggling the particular tunnel ( Clear Cry ipsec sa peer x.x.x.x or Clear cry isa sa peer x.x.x.x) it is starting to work. This is causing production loss and valuable time for the resources.

Is there anyway where we can avoid this or is there any extra config is required to avaod this.

Please extend your help to fix this issue permanantly.

Thanks & Regards

R.MADHANKUMAR

david.tran · ‎02-07-2013

Make sure both phase I and phase II match exactly on each side. that's a start.

Madhan Kumar · ‎02-07-2013

Hi,

Both side the configuration are same and there is a no deviation. But still this probelm happeneing continously. This issue is happening some other tunnels also.

Expecting a solution for this.

Andrew Phirsov · ‎02-07-2013

Is isakmp keepalive enabled on peers and 5520? Usually this kind of thing may happen when one site thinks that tunnel is up, while ohter thingks it's down (due to temporary connection problem or smth). Then site that lost connection starts it again, and another, wich thinks that connection is ok and didn't delete SA (5520 in your case) drops it cause it already has SA with that peer.

Madhan Kumar · ‎02-13-2013

Hi,

We have verified the config on both sides. The config are identitical. The issue happening once in a month or two, at that time toggling is required. Looking for a solution to avoid this permamantly as it is suddenly affecting the production and all users using the S2S vpn unable to access the destination.

Please help.

Madhankumar