VPN stops sending data even though tunnel remains up

Unanswered Question
Dec 17th, 2008
User Badges:

We have an ASA 5510 talking to a client's Nortel device. We are sending data over a VPN connection between the two devices 24/7. Twice a day the tunnel stops sending data, and you can no longer ping over the tunnel. The tunnel is still up during this time, and my syslog shows no timeouts in ISAKMP or IPSec during this time. I issue the clear crypto ips sa peer command and the tunnel drops and re-establishes. After doing this, pings are immediately successful. Both the client tech and I have reconfigured everything on both sides making sure that we are matching exactly. We are also both using the host address, not network on one side host on the other (which I know can cause issues). Has anyone run across this? Any ideas on what to do to fix it?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Sun, 12/28/2008 - 17:36
User Badges:
  • Silver, 250 points or more

If the IPsec VPN tunnnel has failed within the IKE negotiation, the failure can be due to either the PIX or the inability of its peer to recognize the identity of its peer.When two peers use IKE to establish IPsec security associations, each peer sends its ISAKMP identity to the remote peer. It sends either its IP address or host name dependent upon how each has its ISAKMP identity set. By default, the ISAKMP identity of the PIX Firewall unit is set to the IP address. As a general rule, set the security appliance and the identities of its peers in the same way to avoid an IKE negotiation failure.


For the further assistant following URL may help you in troubleshooting

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#idenity



Actions

This Discussion