VPN Connections requiring sa peer resets often?

Unanswered Question
Jul 8th, 2008
User Badges:

I have multiple (let's say about 50) remote sites which have an ASA 5505 at them connecting via a ipsec vpn connection back to our main office. Most of the time, these connections work great, but it seems like within the span of about 1 week, at least 4 or 5 require either a reboot or the command "ipsec reset sa peer x.x.x.x" to be run to re-establish the vpn tunnel. Now, this is more of a nuisance than a real problem because they always come back up, but my employer would like to know if there is a way to minimize these issues. Here are some details and my thoughts:

Remote sites each have a 5505, running various OS versions, but none too terribly old. They connect back to HQ using either a DSL or cable modem connection.

HQ ASA is a 5520 in a failover pair. It is running ASA version 8.0(3) and ASDM version 6.0(3) and has a good 'net connection.

All have static IP's and in every case, there is no known issue with the network connections, just a loss of the vpn tunnel.

My gut instinct is to upgrade the remote ASA's to the same ASA firmware version as the HQ ASA. I expect that we will still encounter some times when we will need to reset the VPN tunnel, but I would expect that they would be fewer if the OS versions matched than now. I think the likely culprit is the instability of cable modem and DSL connections.

Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hadbou Mon, 07/14/2008 - 08:31
User Badges:
  • Bronze, 100 points or more

check if the "reset upon timeout" action uis enabled on the ASA which may cause the connection to timeout and re-establish the connection.If it is configures increase the time configured.


This Discussion