ASA L2L vpn ipsec sa timeout issue

Unanswered Question
Nov 3rd, 2008

We have a l2l vpn tunnel set up between two 5510s that are both running 7.2.4 code. Each side has two subnets (one for data and the other for voice) The tunnel is set up to allow all subnets to talk to each other. Periodically (every 45 min to 1 hour) two of the ipsec sa's drop out from the ASA at site A but do not drop out of the ASA at site B.

For example:

Data subnet at site A is /24 and voice subnet at site A is /24.

Data subnet at site B is /24 and voice subnet at site B is /24

When the ipsec sa's drop out the can still send traffic to and vice versa. can still send traffic to and vice versa.

However traffic ceases between and traffic also ceases between and

This wouldn't be an issue except the unity server sits on the data subnet at site A and whenever this occurs phones at site B cannot reach voicemail. No matter how many times the phones at site B call voicemail the ipsec sa doesn't reform to allow the traffic. However if we issue a ping from a device on the Site A data network to the voice network at site B the ipsec sa reforms on the site A ASA and then the phones at site B can call voicemail.

Currently we have a continuous ping set up from a pc on the data vlan at site A to the voice gateway on the voice subnet at site B. This appears to keep the tunnel up between the two subnets permanently as there is always interesting traffic.

does anyone have an idea on why this occurs or if not what we can do to keep the ipsec sa's from dropping out without a continuous ping running?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
singhsaju Mon, 11/03/2008 - 10:36


What are SA lifeteime set for Phase1 and Phase2? By default Phase 1 SA is 86400 seconds and Phase 2 SA is 3600 seconds.

Phase 2 SA are built inside Phase1 SA so Phase1 SA Lifetime should be greater than Phase 1 SA lifetime.

Is Phase2 SA lifetime < Phase1 SA lifetime ?

budmiller Mon, 11/03/2008 - 10:47

The lifetimes for both phase 1 and phase 2 are the defaults on both ASAs, so phase 1 lifetime is 86400 and phase 2 is 3600.


This Discussion