ASA 5520 and 871 vpn tunnel drops

Unanswered Question
Jun 18th, 2007
User Badges:

I have a ASA 5520 that has several PIX 501 and Cisco 871's which connect to it using a EZVPN connection. For some strange reason only 2 or 3 of the connections will drop on the ASA 5520. The 871 on the other end still shows a VPN tunnel as being up even though the ASA shows it as not connected. Traffic will not cross when it is in this state. It is always the same 871's with the issue. The tunnel will recreate on it's own from time to time but at not set time. It may be in 15 minutes or 5-6 hours.


If the 871 is power cycled they will come right back up and work for 30 minutes up to 16-18 hours before it happens again.


I have monitoring software behind the ASA 5520 that connects to the 871's inside interface once per minute to verify that it is up. Therefore, there is traffic crossing that link at least once every 60 seconds. The packets are small but there is always data traveling.


I have swapped out 871's at these remote locations, but the issue still appears. Also the internet providers are different at each of these locations. All providers that I talked to state that they see no issues with our connection to the internet.


Any help would be great.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shomar Tue, 06/19/2007 - 00:03
User Badges:

HI,


Try enabling Isakmp keepalives through the tunnels from those sites, also double check and hard code the life times for ISAKMP and IPSEC to be identical on both sides (both time and KB limits)


Hope that this helps.


Kindest regards,

Shadi`

Robert Phillips Tue, 06/19/2007 - 13:37
User Badges:

I believe I already have keepalives enabled. THE ASA has ISAKMP Monitor Keepalives turn on with Confidence interval set to 10 seconds and retrys set at 3 seconds.


I am not sure how I can ebanle that on the 871 since it has a EZVPN configuration where I can only add small set of commands.

stephenshaw Thu, 06/21/2007 - 10:07
User Badges:

Hi,


you may want to investigate if the 5520 is experiencing one of two bugs:


CSCsd79775 or CSCsd48512


On the 5520 do a 'show ipsec stat' command and see if the "missing SA failures" count increments or not. Also try a 'show asp drop" counter "Tunnel being brought up or torn down" counts are incrementing. If the counts are incrementing, you have one of the bugs. A workaround is to hard power down the firewall and power it back up.


HTH,


Steve

Robert Phillips Thu, 06/21/2007 - 19:43
User Badges:

Thank Steve, I will look into that...At this point I am open to anything.


Actions

This Discussion