ASA5510 7.2(4) / IOS 12.4(18)
Due to unknown reasons the VPN gets stuck once in a while, no regular interval can be noticed. Sometimes it works for weeks sometimes it breaks multiple times a day. In the easier cases a clear of the crypto sessions on the IOS side is sufficient. In the worse cases a reload of the ASA is necessary.
The ASA maintains other L2L VPN to other ASA that do not have any problems at the same time the ASA-to-IOS VPN breaks.
We were thinking about timer issues so we played around a little with these, but the error did not disapear (initially: ISAKMP 3600 / IPsec 3600; then ISAKMP 43200 / IPSEC 3600; now ISAKMP ASA 43200 / ISAKMP IOS 3600 / IPSEC 3600).
When the bad stuck situation occurs on the ASA no ISAKMP nor IPsec SA to the IOS peer is visible on the ASA but new SAs cannot be established.
Does anybody have an idea why such stuck situations can occur? Does anybody have an explanation why an ASA would need a reload to be able to reestablish the SAs?
I searched the BugDB but did not find anything in the bugs that I am allowed to see. Any hint is appreciated.