Yes, it has a SA lifetime of

Albert Succar · ‎09-16-2014

We are having connection issues between two sites. Each sites houses an ASA5510 and is connected via a site-to-site tunnel. The tunnel seems to drop randomly throughout the day. Sometimes it take only 3 hours, other times it takes several days. This issue interferes with our backup jobs since they tend to fail when the tunnel is dropped. On one of the ends, we noticed the following logs (there were a lot more but I felt these were most important)

2014-09-11 02:46:32 Local4.Error 192.168.2.2 %ASA-3-713123: Group = 1.1.1.1, IP = 1.1.1.1, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

2014-09-11 02:46:32 Local4.Notice 192.168.2.2 %ASA-5-713259: Group = 1.1.1.1, IP =1.1.1.1, Session is being torn down. Reason: Lost Service

Any ideas/suggestions? If additional information is needed about our environment, please let me know.

Walter Astori · ‎09-16-2014

Did you set the lifetime option in crypto map instruction ?

Albert Succar · ‎09-16-2014

Yes, it has a SA lifetime of 3600 seconds on both ends

Walter Astori · ‎09-16-2014

Can you execute the show vpn-sessiondb detail l2l command on ASA and verify the Idle Time Out, Rekey Int (T), Rekey Int (D) parameters ?

Albert Succar · ‎09-16-2014

On both ASA's:

Rekey Int (T): 3600 seconds

Rekey Int (D): 102400000 K-Bytes

Walter Astori · ‎09-16-2014

Can you insert the following instruction :

tunnel-group <name> ipsec-attributes
isakmp keepalive disable

Albert Succar · ‎09-16-2014

I was thinking of enabling this on the tunnel, however we have a primary and backup interface being monitored via SLA. If I was to disable the keepalive on the primary tunnel, would that fail to establish a new tunnel on the backup interface if the primary goes down?

Albert Succar · ‎09-19-2014

Which ASA would I need to apply this on?

Site-to-site VPN intermittent disconnects