ASA 5520 and 871 vpn tunnel drops

Unanswered Question
Jun 18th, 2007

I have a ASA 5520 that has several PIX 501 and Cisco 871's which connect to it using a EZVPN connection. For some strange reason only 2 or 3 of the connections will drop on the ASA 5520. The 871 on the other end still shows a VPN tunnel as being up even though the ASA shows it as not connected. Traffic will not cross when it is in this state. It is always the same 871's with the issue. The tunnel will recreate on it's own from time to time but at not set time. It may be in 15 minutes or 5-6 hours.

If the 871 is power cycled they will come right back up and work for 30 minutes up to 16-18 hours before it happens again.

I have monitoring software behind the ASA 5520 that connects to the 871's inside interface once per minute to verify that it is up. Therefore, there is traffic crossing that link at least once every 60 seconds. The packets are small but there is always data traveling.

I have swapped out 871's at these remote locations, but the issue still appears. Also the internet providers are different at each of these locations. All providers that I talked to state that they see no issues with our connection to the internet.

Any help would be great.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shomar Tue, 06/19/2007 - 00:03

HI,

Try enabling Isakmp keepalives through the tunnels from those sites, also double check and hard code the life times for ISAKMP and IPSEC to be identical on both sides (both time and KB limits)

Hope that this helps.

Kindest regards,

Shadi`

Robert Phillips Tue, 06/19/2007 - 13:37

I believe I already have keepalives enabled. THE ASA has ISAKMP Monitor Keepalives turn on with Confidence interval set to 10 seconds and retrys set at 3 seconds.

I am not sure how I can ebanle that on the 871 since it has a EZVPN configuration where I can only add small set of commands.

stephenshaw Thu, 06/21/2007 - 10:07

Hi,

you may want to investigate if the 5520 is experiencing one of two bugs:

CSCsd79775 or CSCsd48512

On the 5520 do a 'show ipsec stat' command and see if the "missing SA failures" count increments or not. Also try a 'show asp drop" counter "Tunnel being brought up or torn down" counts are incrementing. If the counts are incrementing, you have one of the bugs. A workaround is to hard power down the firewall and power it back up.

HTH,

Steve

Actions

This Discussion