Site to site vpn after upgrading to 8.0(4)

Unanswered Question
Nov 23rd, 2008

Hi All,

We are having site-to-site vpn between US (Cisco ASA-5510) and india (netscreen).

Recently we have changed the ISP.

Therefore, we have changed the peer end IP after that we have upgraded the US end ASA from 7.2(3) to 8.0(4).

After this upgradation, we are facing every 4 plus hours the tunnel is going down and we have to refresh the tunnel afterwards it is coming up. We have not faced this issue when we are having image 7.2(3).

We checked by changing the lifetime at both the side but no luck.

On Cisco ASA,we have terminated 6 tunnel but for other tunnel we are not having any problem.

Could somebody suggest?

Regards,

Navin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Sun, 11/23/2008 - 06:59

Have you try different threshold parameters in dead peer detection(DPD) statements if any at both ends of tunnel see if that helps, configure it under tunnel group attributes, just a suggestion.

hostname(config)# tunnel-group ipsec-attributes

hostname(config-tunnel-ipsec)# isakmp keepalive threshold 20 retry 2

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1732140

Rgds

Jorge

navin_rk3 Sun, 11/23/2008 - 07:26

Thanks for the reply.

I had already enabled both sides isakmp keep alives.

Checked the entire Netpro froum and some engineers suggested:

1.disable IP compression under tunnel group.

2.i searched for bug using BUG tool(It will closely match to this CSCsv63354 Bug Details)

3.changed ISAKMP & IPSEC timings.

3rd step i had already tried regarding 1st and 2nd step some senior forum members must suggest to try.

Any other suggestion pl.

Regards,

Navin

ajagadee Sun, 11/23/2008 - 08:15

Navin,

You have done some good timing calculation that is going to help you resolve the issue, I think.

Eventhough your main issue is tunnel going down, you bring up a good observation, that is tunnel going down every 4 hours. One thing that comes to my mind is ARP Default Timer, which is 4 hours. So, your issue may not be related to IPSEC Tunnel but ARP and Asymmetrical routing. Check your L2 and L3 connectivity to see if there is a chance that the ARP Entry times out after 4 hours and you do something that forces the L3 device to relearn the ARP Entry and forward traffic.

Regards,

Arul

*Pls rate if it helps*

navin_rk3 Sun, 11/23/2008 - 08:35

Arul,

Good point.

I am going to look into l2 and l3 connectivity and also Assmetrical routing.

I am unable to understand because We are facing this issue after upgradation to 8.0(4) but when we are having 7.2(3) no issue.

Regards,

Navin

Actions

This Discussion