09-16-2014 05:34 AM
We are having connection issues between two sites. Each sites houses an ASA5510 and is connected via a site-to-site tunnel. The tunnel seems to drop randomly throughout the day. Sometimes it take only 3 hours, other times it takes several days. This issue interferes with our backup jobs since they tend to fail when the tunnel is dropped. On one of the ends, we noticed the following logs (there were a lot more but I felt these were most important)
2014-09-11 02:46:32 Local4.Error 192.168.2.2 %ASA-3-713123: Group = 1.1.1.1, IP = 1.1.1.1, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
2014-09-11 02:46:32 Local4.Notice 192.168.2.2 %ASA-5-713259: Group = 1.1.1.1, IP =1.1.1.1, Session is being torn down. Reason: Lost Service
Any ideas/suggestions? If additional information is needed about our environment, please let me know.
09-16-2014 06:00 AM
Did you set the lifetime option in crypto map instruction ?
09-16-2014 06:02 AM
Yes, it has a SA lifetime of 3600 seconds on both ends
09-16-2014 06:40 AM
Can you execute the show vpn-sessiondb detail l2l command on ASA and verify the Idle Time Out, Rekey Int (T), Rekey Int (D) parameters ?
09-16-2014 06:43 AM
On both ASA's:
Rekey Int (T): 3600 seconds
Rekey Int (D): 102400000 K-Bytes
09-16-2014 06:56 AM
Can you insert the following instruction :
tunnel-group <name> ipsec-attributes
isakmp keepalive disable
09-16-2014 07:22 AM
I was thinking of enabling this on the tunnel, however we have a primary and backup interface being monitored via SLA. If I was to disable the keepalive on the primary tunnel, would that fail to establish a new tunnel on the backup interface if the primary goes down?
09-19-2014 06:02 AM
Which ASA would I need to apply this on?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: