Showing results for 
Search instead for 
Did you mean: 

Site to Site VPN keeps dropping

I have a site to site VPN. Every few days my site stops transmitting data to the remote site but I do receive data from the remote site. Only way to fix it is to rebuild the tunnel. I dont have any idle time set for the vpn. so not sure why the tunnel keeps going down. Please help.

        I have  a ASA 5505 running 7.2 (3) IOS.


Hi Pratik,

To find out the issue we should:

1- Check the SA output during the failure.

2- Run a packet-tracer and compare the outbound SPI.

3- Verify if there is any overlap issue.

4- Do you clear the tunnel with the "clear crypto ipsec sa peer xxxx.xxxx.xxxx.xxxx command?

5- Captures on the inside.

For this kind of issues, I usually suggest opening a TAC case during the failure.



Please rate any posts that you consider helpful.

Message was edited by: Javier Portuguez


Unfortunately i dont have support on this device. Its a very random issue. Sometimes i dont see the tunnel transmitting and sometimes i dont see the tunnel receiving traffice. Its very weird. To fix it i just have to go ahead and rebuild the tunnel. I will try and do the packet tracing.


Hello Pratik,

Based on the explanation of the issue, it looks like the tunnel is not going down, but it just stops passing traffic.

Have you tried to clear the tunnel with the aforementioned "clear crypto" command by Javier?

Also, when the issue happens, please collect the following information before rebuilding the tunnel:

show asp table classify crypto | be out id

show asp table vpn-context detail

Please share the results with us.

Depending on how many tunnels you have in your ASA, the output of these commands can be a little extensive, so please increase the lines of scroll back of your terminal session in case you are using an application that limits that.

Daniel Moreno

Please rate any posts you find useful


Please see the attached files for the

show asp table classify crypto | be out id

show asp table vpn-context detail

Also, I checked the remote site and they also have the idle timeout disable. So not sure whats happening.



Also, Below is my license info for the firewall

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs                       : 20, DMZ Unrestricted

Inside Hosts                : Unlimited

Failover                    : Active/Standby

VPN-DES                     : Enabled

VPN-3DES-AES                : Enabled

VPN Peers                   : 25

WebVPN Peers                : 2

Dual ISPs                   : Enabled

VLAN Trunk Ports            : 8

I run Cisco SSL VPN on this firewall. And 1 site to site VPN which I am having problems with. So does license has to do anything in my case?

Content for Community-Ad