Site-to-Site tunnel keeps going down

Unanswered Question

I was wondering if anybody had anything thoughts on this issue. I have an ASA 5510 with a static public IP that is our main firewall. We have a remote site with an ASA 5505. The 5505 is connected to the world by DSL modem. Now the DSL has the public static IP and then gives anything connected to it a private IP. The interface on the 5505 is connected to the modem and uses DHCP and gets a private IP. We set the config to have a site-to-site tunnel between the two firewalls. It would work for a while and then all of a sudden drop the tunnel connection for different periods of time. I called Cisco about this and the guy I worked with said since the 5505 is behind a firewall and is getting a DHCP address that I need to create a Dynamic LAN to Static LAN tunnel instead and make the 5505 the initiator of the tunnel since the 5510 won't know who to talk to. So he removed my tunnel and created a DefaultL2L tunnel group. All of a sudden the downed VPN Site came up. But after I got off the phone the tunnel went down again. So I am lost as to what could be going wrong. Is it possible since the DSL modem is doing some kind of NAT and giving a private IP to the firewall that it could be blocking some traffic that is needed to pass? The connection will come up by itself. When I called the Engineer back up he said that it could be that some traffic needs to be passed from the 5505 side since that is the connection making the tunnel.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
chris.grammer Thu, 01/08/2009 - 09:42

I have a very large VPN network via the internet with several of these types of DSL modem setups. I have had similar issues with tunnels dropping. Generally for me, I have the remote site power the DSL modem on an off and it resolves the issue for a few days or weeks. The most sure way I have resolved this problem is to use a Public IP on the remote firewall instead of the private given by the service provider DSL modem. Most service providers charge a few more dollars per month for the Public IP, but it has significantly decreased tunnel problems. Even with a public IP, in my experience, the DSL modems will have to be rebooted periodically no matter what the configuration. I think the problem ultimately is that Internet service providers give DSL customers the "Wood plan" and will without notice make changes, module reloads, and reboots of aggregate DSLAMs and routers, which causes problems with the DSL modems.


This Discussion