In our organization we are facing a peculiar issue. We have nearly 20 S2S vpn tunnels in our ASA 5520 box. Many times users are compalining that they are unable to reach the destination. Post toggling the particular tunnel ( Clear Cry ipsec sa peer x.x.x.x or Clear cry isa sa peer x.x.x.x) it is starting to work. This is causing production loss and valuable time for the resources.
Is there anyway where we can avoid this or is there any extra config is required to avaod this.
Please extend your help to fix this issue permanantly.
Is isakmp keepalive enabled on peers and 5520? Usually this kind of thing may happen when one site thinks that tunnel is up, while ohter thingks it's down (due to temporary connection problem or smth). Then site that lost connection starts it again, and another, wich thinks that connection is ok and didn't delete SA (5520 in your case) drops it cause it already has SA with that peer.
We have verified the config on both sides. The config are identitical. The issue happening once in a month or two, at that time toggling is required. Looking for a solution to avoid this permamantly as it is suddenly affecting the production and all users using the S2S vpn unable to access the destination.
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...