Another L2L issue with ASA

Unanswered Question
Oct 8th, 2008

Looking through similar posts, I have not found a solution for this particular problem:

I have a remote location with 857 and (C850-ADVSECURITYK9-M), Version 12.4(6)T5 and a CO location with 5520 and Software Version 7.1(2) connected through the Internet by IPSec tunnels.

ACLs that define interesting traffic on both sides include 3 subnets that should be accessible behind ASA's inside interface: and

The configs are included in attachments. The whole thing works, network behind the remote 857 sees the 3 subnets in CO and vice versa, until at some point ASA decides that it does not like one of the defined subnets and starts tearing down connections between it and the remote network. For example, today it decided it no longer likes connections between (remote) and (behind inside interface) networks, while the connections to and keep working fine. That's after a year of normal operation.

We've had such an issue at several remote locations already and it comes down to no matter what you do - kill SAs, remove and rebuild crypto maps, reload the remote end.. nothing helps until you reload the ASA. You reload the ASA and whoom! it works again. All networks defined are allowed to pass.

Since the communication is business critical, I would very much like to solve the problem without having to reload the central ASA every time it suddenly decides to stop passing traffic between one of the 3 critical subnets and a remote network.

I'd like to note that, overall, the configs work fine. At times when the ASA starts dropping networks, no new access-lists or configurations are added to it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mike_guy29 Wed, 10/08/2008 - 06:48

Is the ASA device part of a failover pair?

The only reason I ask is because I had a lot of strange problems happen after my primary active ASA had failed over to the secondary standby. I didn't notice and for a while it was the secondary one that was running as active. I had a lot of strange problems with VPNs and once I had reverted the devices back to the correct setup they went away.



This Discussion