I have a L2L VPN setup between a PIX 515E and a 3020 concentrator. On the PIX side, I have a single subnet; behind the 3020 I have 4 subnets.
The tunnel will work initially but will then drop one of the IPSEC SA for one of the subnets, at least according to a sh crpyto ipsec sa on the PIX, at random durations. The only way to get it working again is to re-establish the tunnel.
I did a debug on the PIX side and looked at the logs on the 3020 and I do see QM FSM errors but I double checked the crypto map and network lists on both sides and they match up in order.
I also tried playing with IKE keepalives per an older thread with no luck either. Any idea what else should I be checking? There's also occasionally a phase 2 authentication duplicate error that I'm looking into now as well.
It's weird because it does work and sometimes for days on end but recently it's been dropping subnets more frequently.
One other item: 1 of the 4 subnets behind the 3020 is actually hairpinning since it is a remote access VPN network. Not sure if it makes a difference.
Any suggestions? Thanks in advance.