First of all, I'd like to say that I've searched and read all the posts that are available related to this topic.
However, I've been unable to solve our issue.
We have a Site2Site VPN with one of our remote offices. This Site2Site is build using a dynamic IP address on the remote site and through an operators router. Site2Site is correctly stablished between both ASAs.
The weird thing that happens to us is that everytime I reload remote site's ASA, SNMP begins to work and we receive responses from there. However, after 5 to 10 minutes, it stops responding. I don't even see any traffic from our NMS.
Another weird thing is that when it works after a reload, if I make a Packet Tracer test, it works. And when SNMP stops responding, it just fails. It fails at VPN phase (last one) giving no error of the failure. The only weird thing is that it takes the source or destination address as 0.0.0.0 instead of the stated on the command.
Does anybody know how could I get deeper into this? Any ideas I can test?
Thanks a lot in advance.
If it works briefly and then stops after 5 to 10 minutes it suggests that perhaps there is some table entry that times out. Perhaps something like an ARP entry?
Do other things continue to work ok after 5 to 10 minutes after reload? Is the problem just about SNMP or is other types of traffic also impacted?
Perhaps you could share a sanitized copy of the ASA configuration?
First of all, thanks for your answer.
I don't think there's an ARP table timeout or anything. I don't know why, every time we reload remote ASA it begins to work. Site2Site tunnel is established and everything is fine, however, after 5 or 10 minutes, it stops responding.
Actually SNMP is not the only traffic that is not working. We'd like to manage that ASA via SSH and HTTPS, but it doesn't work either, nor ICMP packets from our administration computers.
The only thing we allow into the VPN is the traffic from our administration IP addresses and from ASAs LAN subnets. That way we'd like to monitor and manage remote ASA, but it's not working. We always try to ping or connect to inside's IP address.
I attach a sanitized configuration of our ASA.
Also, I tried to reload VPN connections but still does not work. It drives me crazy that after reloading it works for a little bit and then stops working.
Thanks for all the help.
I have looked at the config and do not find any obvious issues. I wonder if it could be something like a translation table entry that times out? When it happens are there any messages in the ASA log that might relate to what is going on?
If I go on ASDM to logging and open the new window with Debugging level, I do not see anything related to traffic comming from our NMS.
How can I check if there's any log or indicator of what could be going on?
When you go on ASDM and open a new window for logging it will show current activity. But the issue may be something that has happened already. So a different approach may be needed than ASDM logging. Is logging to the buffer enabled at debug level? If you do show log from the command line how far back do the messages in the logging buffer go? If the logging buffer can show you at least 30 minutes of activity and if the problem will happen within 10 minutes of reload then you may be able to find the issue by doing from the command line show log | include
If the logging buffer is not large enough to display at least 30 minutes of activity then a different approach may be needed. Perhaps you could make sure that logging monitor is enabled at debug level. Then after reload, quickly establish a command line access from some PC. Use the terminal monitor command to display the log messages on the PC. When the problem has happened then use terminal no monitor to stop display of new messages and look through the display for any messages that mention the address of NMS. This assumes that your terminal emulation program has a sufficiently large buffer to hold log messages over a period of at least 20 to 30 minutes.
When the problem has happened, is the ASA able to ping to the address of NMS? If the ASA does ping the address of NMS does that enable NMS to access the ASA?