ASA VPN interruption

Unanswered Question
Feb 19th, 2009

On a site to site vpn we have interruptions every 1-3 hour lasting for 5-10 seconds.

All applications connecting through this tunnel have to restart.

There are two Riverbeds in the VPN path,

the MTU size is 1380, the tcp options have been set in the global policy.

How can the i debug the ipsec connections to find the reason.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jason.espino Thu, 02/19/2009 - 11:19

Hello Peter,

The following command will allow you to view debug messages on the ASA for IPsec traffic:

debug crypto ipsec

The debug level would be of your choosing. Higher debug the more information you will see. You can also debug IKAKMP as well.

debug crypto isa

However, if you wish to debug this issue as it happens you would have to wait until it occurs while your debugging on the firewall. I don't think this would be ideal to simply wait until it occurs.

If you want, you could also enable logging to flash on the ASA for the vpn traffic which may provide some information as to why the tunnel went down.


logging enable

logging buffer-size OPTIONAL

logging class vpn buffered informational

Has this issue recently appeared or has it been ongoing? Have you changed the time until the phase 1 and phase 2 SA's rekey? Do you know what the remote VPN rekey value is set? The IPsec tunnel will agree upon the lowest values for re-negotiation on the security-associations. What is the remote device your ASA is terminating the VPN tunnel to?

Hope this info helps!


This Discussion