Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
4
Replies

S2S VPN ISSUE

Madhan Kumar
Level 1
Level 1

‎02-07-2013 02:23 AM

Hi Team,

In our organization we are facing a peculiar issue. We have nearly 20 S2S vpn tunnels in our ASA 5520 box. Many times users are compalining that they are unable to reach the destination. Post toggling the particular tunnel ( Clear Cry ipsec sa peer x.x.x.x or Clear cry isa sa peer x.x.x.x) it is starting to work. This is causing production loss and valuable time for the resources.

Is there anyway where we can avoid this or is there any extra config is required to avaod this.            

Please extend your help to fix this issue permanantly.

Thanks & Regards

R.MADHANKUMAR

Labels:
0 Helpful
4 Replies 4

david.tran
Level 4
Level 4

‎02-07-2013 04:33 AM

Make sure both phase I and phase II match exactly on each side.  that's a start.

0 Helpful

Madhan Kumar
Level 1
Level 1
In response to david.tran

‎02-07-2013 10:26 PM

Hi,

Both side the configuration are same and there is a no deviation. But still this probelm happeneing continously. This issue is happening some other tunnels also.

Expecting a solution for this.

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to Madhan Kumar

‎02-07-2013 10:50 PM

Is isakmp keepalive enabled on peers and 5520? Usually this kind of thing may happen when one site thinks that tunnel is up, while ohter thingks it's down (due to temporary connection problem or smth). Then site that lost connection starts it again, and another, wich thinks that connection is ok and didn't delete SA (5520 in your case) drops it cause it already has SA with that peer.

0 Helpful

Madhan Kumar
Level 1
Level 1
In response to Andrew Phirsov

‎02-13-2013 02:22 AM

Hi,

We have verified the config on both sides. The config are identitical. The issue happening once in a month or two, at that time toggling is required. Looking for a solution to avoid this permamantly as it is suddenly affecting the production and all users using the S2S vpn unable to access the destination.

Please help.

Madhankumar

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents