I have a VPN site2site that is working, but not always :)
1) After some minutes, hours (diffrend periods) it is not working anymore. I test the tunnel with SDM and it up and running. I do sh crypto isakmp sa / detailed and I have QM_IDDLE and status ACTIVE; I do sh crypto ipsec sa and it is there. I have to reload the router to make it work again. Where should I look for some onfos about the problem.
2) I noticed that lifetime parameter was not the same. I changed it, so now it is the same on both peers. Could this be a problem? It did not solved my problem.
3) Can I force rebuild the tunnel without reloading the router with clear crypto isakmp conn_ID or clear crypto sa [peer/map] spi ?
3) The ACL that defines interesting trafic is like: permit ip local_LAN remote_LAN . ICMP is not interesting trafic; if I ping the remote_LAN why does it counts in ipsec sa ; if I do a sh crypto ipsec sa , I see those icmp packets counted here:
local ident (addr/mask/prot/port): (172.31.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
current_peer 89.x.x.x port 500
#pkts encaps: 1371, #pkts encrypt: 1371, #pkts digest: 1371
#pkts decaps: 2412, #pkts decrypt: 2412, #pkts verify: 2412
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
and excuse my english
1,2 - yes this might have fixed it already by matching the lifetime on both router/FW.
4.other than defining the access-list for interesting traffic, did you also configure another access-list for this tunnel? if not, then all IP traffic are allowed including icmp. you may not receive icmp reply because the other firewall is blocking it.
please rate if it helps