Solved: VPN tunnel down due to no traffic

ronshuster · ‎07-23-2008

I have a VPN tunnel (over the Internet) between two of our sites. This morning access from site A to site was down but only for one particular vlan. The tunnel was still up, vlans in site A were able to communicate with vlans in site B with the exception of one vlan in site B. Site A was unable to ping this vlan on site B. However, as soon as I ran an extended ping from the core switch of site B from that particular vlan, the communication for that vlan was suddenly established.

This tunnel is up for at least 7 months now and I never had this issue.

I am thinking that the tunnel will only be up if traffic is initiated from site B, is that possible?

husycisco · ‎07-23-2008

1) It is a possibility that you may have been running with a missing Interesting traffic statement for months and remote site or a host defined in your Interesting traffic was initiating the traffic but not that particular VLAN.

2) Another possibility is, an initiation might have been started by your site first, and an SA negotiation got hung due to x factors, and now whenever your site tries an initiation, that active SA is used for rekeying. Reloading the device or clearing all active isakmp and IPSEC SAs may resolve the issue.

3) Last possibility for cases in which one end can initiate but other end cant is isakmp or ipsec security-association lifetime mismatch. Maybe you did not change it but remote and migh have done.

If you have access to ASDM running syslog, set the ASDM logging level to 5, then try initiating traffic from that VLAN. If you see a single blue line (I cant remember the phrase) that indicates case 2 above. If nothing happens, that means an interesting traffic issue.

View solution in original post

husycisco · ‎07-23-2008

Hello Roni,

Check the interesting traffic ACL in site A and make sure the traffic from that particular VLAN to remote site is defined.

Regards

ronshuster · ‎07-23-2008

In fact the first thing I checked is to ensure the ACL is still there. Nothing changed on that end, again, as soon as I initiated traffic from site B from that vlan (using an extended ping from the switch), it all came up.

I am 100% certain that the config did not change as I am the only person who has access to this equipment.

husycisco · ‎07-23-2008

1) It is a possibility that you may have been running with a missing Interesting traffic statement for months and remote site or a host defined in your Interesting traffic was initiating the traffic but not that particular VLAN.

2) Another possibility is, an initiation might have been started by your site first, and an SA negotiation got hung due to x factors, and now whenever your site tries an initiation, that active SA is used for rekeying. Reloading the device or clearing all active isakmp and IPSEC SAs may resolve the issue.

3) Last possibility for cases in which one end can initiate but other end cant is isakmp or ipsec security-association lifetime mismatch. Maybe you did not change it but remote and migh have done.

If you have access to ASDM running syslog, set the ASDM logging level to 5, then try initiating traffic from that VLAN. If you see a single blue line (I cant remember the phrase) that indicates case 2 above. If nothing happens, that means an interesting traffic issue.