VPN tunnel down

AndreyPokorskiy · ‎11-10-2016

Hello!
Our company has VPN l2l connection to company XY
XY company changed the Peer IP Address and Encryption Algorithm
We got request to change the Peer IP and Encryption Algorithm
It was done.
But the VPN tunnel is down now
I found that the "security-association lifetime" was not set on our firewall
Could "security-association lifetime" settings mismatch prevent to establish the VPN tunnel between two companies?

All IP is UP phase 1 and phase 2 setup are identical
Routing and Acl is been setup and worked before

THank you!

JP Miranda Z · ‎11-10-2016

Hi AndreyPokorskiy,

-Normally a security-assosiation lifetime mismatch is not going to prevent the tunnel to come up.

-If you have a sanitized config i can take a look and see if something is not configured correctly.

-You can also run some debugs and see why the tunnel is not coming up:

debug cry condition peer <peerip>

debug cry isa 180

Hope this info helps!!

Rate if helps you!!

-JP-

AndreyPokorskiy · ‎02-08-2017

Thank you JP!
Sorry I missed your comment
We found the issue

To allow the traffic ip protocol should be allowed in ACL on Cisco ASA

For some reason, it was working only TCP ports allowed in ACL before the firmware has been updated on other side of VPN tunnel (Sophos FW)

Thank you!

Best regards,

Andrey P.