Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
5
Helpful
3
Replies

site to site vpn

bluesea2010
Level 5
Level 5

‎11-08-2021 08:23 AM

Hi,

I am running  site ti site ipsec vpn  (asa 5580) , the  first  one or two packet always fail when I ping 

 

What could be the reason 

 

Thanks 

Labels:
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎11-08-2021 08:34 AM

Hi,

This is because the VPN is down. You need 1 or 2 packets to trigger IPSEC
negotiations and establish IPSEC SA. While the negotiation is taking place,
the packets intended to pass through the tunnel will be dropped.

**** please remember to rate useful posts
0 Helpful

bluesea2010
Level 5
Level 5
In response to Mohammed al Baqari

‎11-09-2021 02:00 AM

Hi,

How to solve this issue 

 

Thanks

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to bluesea2010

‎11-09-2021 02:15 AM

Hi,

Run a continuous traffic between nodes such as IP SLA every 5 mins. This
will keep the tunnel IP as the traffic will always be present. Otherwise,
disable SA idle timeout to make it continuous which is not recommended.

IP SLA examples
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_icmp_echo.html

**** please remember to rate useful posts
Customers Also Viewed These Support Documents