IPSec Tunnel Drop for 15 Minutes

Unanswered Question
May 7th, 2009

Hi NetPro,

My l2l VPN tunnel between ASA and IOS drops randomly about every 23 hours. It takes upto 15 minutes for the tunnel to be reestablished. 'Debug Cryp isakmp' on the 1841 router shows the negotiation is taking place all the time during this 15 minutes. Can you please explain the logs?

IOS is configured as below. DMVPN hub is also configured on this router.


crypto keyring Global

pre-shared-key address key xxxxxxxxxxxxxxxxxxxxx

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxxxxxxxxxxxx address A.A.A.A

crypto isakmp keepalive 600

crypto isakmp nat keepalive 10

crypto isakmp profile DMVPN

keyring Global

match identity address

crypto isakmp profile l2l

keyring Global

match identity address A.A.A.A

keepalive 600 retry 10


crypto ipsec security-association lifetime seconds 86400


crypto ipsec transform-set ppx_vpn esp-3des esp-md5-hmac

crypto ipsec transform-set dmvpn-tran esp-3des esp-sha-hmac

crypto ipsec df-bit clear

crypto ipsec nat-transparency spi-matching


crypto ipsec profile vpnprof

set security-association lifetime seconds 3600

set transform-set dmvpn-tran

set isakmp-profile DMVPN



crypto map spicers_vpn 10 ipsec-isakmp

set peer A.A.A.A

set security-association idle-time 86400

set transform-set ppx_vpn

set isakmp-profile l2l

match address VPNTunnel


Thanks in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
a-vazquez Thu, 05/14/2009 - 06:14

When VPN Client drops connection frequently you may receive the following error:

"Attempted to assign network or broadcast IP address, removing (x.x.x.x) from pool" or "VPN client drops connection frequently on first attempt" or "Security VPN Connection terminated by tier. Reason 433."

The problem might be with the IP pool assignment either through ASA/PIX or Radius server. Use the debug crypto command in order to verify that the netmask and IP addresses are correct. Also, verify that the pool does not include the network address and the broadcast address. Radius servers must be able to assign the proper IP addresses to the clients.

Chuan Liu Thu, 05/14/2009 - 13:19


Thanks for your response. This is a site2site tunnel.

The problem was solved by having a separate keyring for each ISAKMP profile.



This Discussion