I have a weird problem that just started happening on a L2L tunnel to one of our remote employees:
I have a Cisco 1841 router here which serves as our local VPN endpoint, and the remote employees have PIX 501s at their homes. We set up L2L IPSEC tunnels between the devices.
Recently, one of the tunnels has started "flapping" the SAs. For example, here is a simple representation of the crypto map:
(Remote LAN) (Local LAN)
172.17.0.0/29 <--> 10.100.10.0/24
172.17.0.0/29 <--> 10.100.20.0/24
172.17.0.0/29 <--> 10.100.201.0/24
172.17.0.0/29 <--> 10.100.209.0/24
172.17.0.0/29 <--> 10.254.1.0/30
When a device behind the PIX 501 (the 172. net) connects to a device in 10.100.209.0, the SA comes up and the connection is established. Then, another device behind the PIX 501 connects to 10.100.201.0 and the SA comes up and the connection is established. But then, say a device behind the PIX 501 tries to connect to another subnet like 10.254.1.0 and that SA comes up, but another goes down, killing his Citrix metaframe session, for example. Then, he redials his Citrix session and his IP phone goes unregistered because the SA for the connection between his phone and the Callmanager goes down.
I will admit that I have very limited experience configuring L2L IPSEC tunnels on Cisco devices, and I am in dire need of some learning on the subject.
For now though, are there any debugging commands I can use that might be able to tell me why the SAs are going up and down and what I can do to correct it?
I have console access to the 1841, I do not have access to the PIX.