09-21-2012 06:10 AM
I have a site to site VPN. Every few days my site stops transmitting data to the remote site but I do receive data from the remote site. Only way to fix it is to rebuild the tunnel. I dont have any idle time set for the vpn. so not sure why the tunnel keeps going down. Please help.
I have a ASA 5505 running 7.2 (3) IOS.
09-21-2012 06:47 AM
Hi Pratik,
To find out the issue we should:
1- Check the SA output during the failure.
2- Run a packet-tracer and compare the outbound SPI.
3- Verify if there is any overlap issue.
4- Do you clear the tunnel with the "clear crypto ipsec sa peer xxxx.xxxx.xxxx.xxxx command?
5- Captures on the inside.
For this kind of issues, I usually suggest opening a TAC case during the failure.
Thanks.
Portu.
Please rate any posts that you consider helpful.
Message was edited by: Javier Portuguez
09-21-2012 12:57 PM
Unfortunately i dont have support on this device. Its a very random issue. Sometimes i dont see the tunnel transmitting and sometimes i dont see the tunnel receiving traffice. Its very weird. To fix it i just have to go ahead and rebuild the tunnel. I will try and do the packet tracing.
09-21-2012 01:08 PM
Hello Pratik,
Based on the explanation of the issue, it looks like the tunnel is not going down, but it just stops passing traffic.
Have you tried to clear the tunnel with the aforementioned "clear crypto" command by Javier?
Also, when the issue happens, please collect the following information before rebuilding the tunnel:
show asp table classify crypto | be out id
show asp table vpn-context detail
Please share the results with us.
Depending on how many tunnels you have in your ASA, the output of these commands can be a little extensive, so please increase the lines of scroll back of your terminal session in case you are using an application that limits that.
Daniel Moreno
Please rate any posts you find useful
10-02-2012 05:49 AM
10-02-2012 05:58 AM
Also, Below is my license info for the firewall
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
I run Cisco SSL VPN on this firewall. And 1 site to site VPN which I am having problems with. So does license has to do anything in my case?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide