In our organization we are facing a peculiar issue. We have nearly 20 S2S vpn tunnels in our ASA 5520 box. Many times users are compalining that they are unable to reach the destination. Post toggling the particular tunnel ( Clear Cry ipsec sa peer x.x.x.x or Clear cry isa sa peer x.x.x.x) it is starting to work. This is causing production loss and valuable time for the resources.
Is there anyway where we can avoid this or is there any extra config is required to avaod this.
Please extend your help to fix this issue permanantly.
Is isakmp keepalive enabled on peers and 5520? Usually this kind of thing may happen when one site thinks that tunnel is up, while ohter thingks it's down (due to temporary connection problem or smth). Then site that lost connection starts it again, and another, wich thinks that connection is ok and didn't delete SA (5520 in your case) drops it cause it already has SA with that peer.
We have verified the config on both sides. The config are identitical. The issue happening once in a month or two, at that time toggling is required. Looking for a solution to avoid this permamantly as it is suddenly affecting the production and all users using the S2S vpn unable to access the destination.