I have the following setup:
PIX 515E with 7.2(3) HQ Site
ASA 5505 with 7.2(2) Remote Site
I experiencing when 1 of my site-2-site tunnels goes down (I have 8 tunnels at HQ) and comes up again, then no data is flowing.
I narrowed it down to that no data is getting encapsulated or encrypted at HQ when this problem occurs:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 5103, #pkts decrypt: 5103, #pkts verify: 5103
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: *
remote crypto endpt.: *
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: DC43FC01
While im having trouble with this 1 tunnel, all my other tunnels are working fine.
I tried the following with no luck to solve the problem:
Reloaded the remote ASA 5505
Reapply the crypto map (HQ):
crypto map outside_map interface outside
Clearing the SA's (HQ):
clear crypto isakmp sa
clear crypto ipsec sa
Removed the pre-shared key at HQ and re-applied it.
The only way I was able to resolve the issue was to reload the PIX (HQ)
After i reloaded the PIX (HQ) I noticed that the PIX now was "initiator" as when the tunnel did not work the pix was "responder" in terms of doing:
show crypto isakmp sa
I have checked that "interresting traffic" at both ends are the same.
I have experienced this problem 2 times now with 6 month's in between.
Any kind of help would be appreciated, since it's not a good solution to reload the PIX (HQ) when this problem occurs - hence all my other tunnels goes down.
Let me know if configs are needed.