I've got the following scenario:
[(DynIP)ADSL_Router with NAT]
All the configuration was done via ASDM. The branch ASA is configured as an EasyVPN hardware client. The VPN connection can
be established without a problem.
The problem occurs when the ADSL line at the branch site disconnects once every 24 hours and gets a new public IP. Note: the
branch ASA is behind an ADSL Router (which is not under our control). After the disconnect the VPN tunnel does not seem to pass traffic. According to both ASAs the
tunnel is up, and does not get torn down by the ADSL disconnect.
As a workaround I have set the SA lifetime value from the default 8 hours to 10 minutes. After the ADSL line disconnects,
and the Lifetime expires, the key is recalculated and the tunnel passes traffic again...meaning that the disconnect will
last 10min in the worst case.
We will have 10 more branch offices soon. will this short SA lifetime have a negative effect on the HQ_ASA5510? We have 3
branch offices running with an SA lifetime of 10min, but the CPU load on the HQ_ASA is hardly noticeable at the moment.
I would like to find a more elegant solution, since a 10min disconnect is still unacceptable (Client working on Terminal
Server in HQ). An expert told me that this issue was resolved in ASA 8.0(4), but I had the same problem running the same
setup in a test lab on ASA 8.0(4). Also I've had some problems with the 8.0(4) version and QoS, so I want to avoid upgrading. Maybe I am missing something?
Any advice would be appreciated!