Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
906
Views
0
Helpful
5
Replies

Site to Site VPN keeps dropping

Pratik Prajapati
Level 1
Level 1

‎09-21-2012 06:10 AM

I have a site to site VPN. Every few days my site stops transmitting data to the remote site but I do receive data from the remote site. Only way to fix it is to rebuild the tunnel. I dont have any idle time set for the vpn. so not sure why the tunnel keeps going down. Please help.

        I have  a ASA 5505 running 7.2 (3) IOS.

Labels:
0 Helpful
5 Replies 5

Javier Portuguez
Level 9
Level 9

‎09-21-2012 06:47 AM

Hi Pratik,

To find out the issue we should:

1- Check the SA output during the failure.

2- Run a packet-tracer and compare the outbound SPI.

3- Verify if there is any overlap issue.

4- Do you clear the tunnel with the "clear crypto ipsec sa peer xxxx.xxxx.xxxx.xxxx command?

5- Captures on the inside.

For this kind of issues, I usually suggest opening a TAC case during the failure.

Thanks.

Portu.

Please rate any posts that you consider helpful.

Message was edited by: Javier Portuguez

0 Helpful

Pratik Prajapati
Level 1
Level 1
In response to Javier Portuguez

‎09-21-2012 12:57 PM

Unfortunately i dont have support on this device. Its a very random issue. Sometimes i dont see the tunnel transmitting and sometimes i dont see the tunnel receiving traffice. Its very weird. To fix it i just have to go ahead and rebuild the tunnel. I will try and do the packet tracing.

0 Helpful

danmoren
Level 1
Level 1
In response to Pratik Prajapati

‎09-21-2012 01:08 PM

Hello Pratik,

Based on the explanation of the issue, it looks like the tunnel is not going down, but it just stops passing traffic.

Have you tried to clear the tunnel with the aforementioned "clear crypto" command by Javier?

Also, when the issue happens, please collect the following information before rebuilding the tunnel:

show asp table classify crypto | be out id

show asp table vpn-context detail

Please share the results with us.

Depending on how many tunnels you have in your ASA, the output of these commands can be a little extensive, so please increase the lines of scroll back of your terminal session in case you are using an application that limits that.

Daniel Moreno

Please rate any posts you find useful

0 Helpful

Pratik Prajapati
Level 1
Level 1
In response to danmoren

‎10-02-2012 05:49 AM

Please see the attached files for the

show asp table classify crypto | be out id

show asp table vpn-context detail

Also, I checked the remote site and they also have the idle timeout disable. So not sure whats happening.

Thanks.

136074-classifycrypto.txt.zip
0 Helpful

Pratik Prajapati
Level 1
Level 1

‎10-02-2012 05:58 AM

Also, Below is my license info for the firewall

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs                       : 20, DMZ Unrestricted

Inside Hosts                : Unlimited

Failover                    : Active/Standby

VPN-DES                     : Enabled

VPN-3DES-AES                : Enabled

VPN Peers                   : 25

WebVPN Peers                : 2

Dual ISPs                   : Enabled

VLAN Trunk Ports            : 8

I run Cisco SSL VPN on this firewall. And 1 site to site VPN which I am having problems with. So does license has to do anything in my case?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents