cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1503
Views
0
Helpful
1
Replies

Tunnel staying up but not passing traffic

bhartsfield
Level 1
Level 1

I have a VPN tunnel from an ASA 5500 running 8.0.4 to a Nortel Contivity device.  Periodically the tunnel will just stop passing traffic (do not see encap or decap numbers increasing) but the tunnel will still be up.  After a clear crypto ipsec on the peer the tunnel will reestablish and everything will be fine again.  Actually it is only 2 SAs within the tunnel that stop passing traffic.  One thing I do see different on them is that the SA that keeps working the whole time has lifetime listed as just sec but the SAs that stop passing traffic have lifetime listed as KB/Sec.  Not sure why different SAs to the same peer (and in the same crypto map) are negotiating differently.  The crypto map statement has both kb and sec lifetimes specified.  We have several other tunnels on this ASA and only have this issue on this one - however I think this may be the only Nortel Contivity we have a tunnel to.

Onbiously we would prefer not to have to reset the tunnel periodically so any suggestions on what might be causing some SAs in the tunnel to "freeze" would be appreciated.

1 Reply 1

ankaushi
Cisco Employee
Cisco Employee

Can you please share the config - Phase 1 and Phase 2 parameters of both the devices?

Have you checked the Lifetime on both devices? The default lifetime value on ASA for Phase 1 is 86400 sec which is 24 hours and for Phase 2 is 28800 sec which is 8 hours. Make sure you have the same configured on the Nortel device also.

Thanks & Regards,

Anshul