cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
606
Views
0
Helpful
2
Replies

ASA L2L vpn ipsec sa timeout issue

budmiller
Level 1
Level 1

We have a l2l vpn tunnel set up between two 5510s that are both running 7.2.4 code. Each side has two subnets (one for data and the other for voice) The tunnel is set up to allow all subnets to talk to each other. Periodically (every 45 min to 1 hour) two of the ipsec sa's drop out from the ASA at site A but do not drop out of the ASA at site B.

For example:

Data subnet at site A is 192.168.1.0 /24 and voice subnet at site A is 10.0.1.0 /24.

Data subnet at site B is 192.168.2.0 /24 and voice subnet at site B is 10.0.2.0 /24

When the ipsec sa's drop out the 192.168.1.0 can still send traffic to 192.168.2.0 and vice versa.

10.0.1.0 can still send traffic to 10.0.2.0 and vice versa.

However traffic ceases between 192.168.1.0 and 10.0.2.0. traffic also ceases between 10.0.1.0 and 192.168.2.0.

This wouldn't be an issue except the unity server sits on the data subnet at site A and whenever this occurs phones at site B cannot reach voicemail. No matter how many times the phones at site B call voicemail the ipsec sa doesn't reform to allow the traffic. However if we issue a ping from a device on the Site A data network to the voice network at site B the ipsec sa reforms on the site A ASA and then the phones at site B can call voicemail.

Currently we have a continuous ping set up from a pc on the data vlan at site A to the voice gateway on the voice subnet at site B. This appears to keep the tunnel up between the two subnets permanently as there is always interesting traffic.

does anyone have an idea on why this occurs or if not what we can do to keep the ipsec sa's from dropping out without a continuous ping running?

Thanks.

2 Replies 2

singhsaju
Level 4
Level 4

Hi,

What are SA lifeteime set for Phase1 and Phase2? By default Phase 1 SA is 86400 seconds and Phase 2 SA is 3600 seconds.

Phase 2 SA are built inside Phase1 SA so Phase1 SA Lifetime should be greater than Phase 1 SA lifetime.

Is Phase2 SA lifetime < Phase1 SA lifetime ?

The lifetimes for both phase 1 and phase 2 are the defaults on both ASAs, so phase 1 lifetime is 86400 and phase 2 is 3600.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: