VPN tunnel between 2 ASa aprtially stops working

Unanswered Question
Aug 3rd, 2009
User Badges:

Hello,

I have configured a L2L tunnell between two ASA5505 running version 7.2(4) and I have this strange problem:

the tunnel is up and stable and I route 4 networks over the tunnel but every 2-3 days the tunnel stops forwarding traffic on one of the four networks (never the same network) and the only way to recover is to issue a:

clear ipsec sa on one of the two ASAs.


Looking at the ipsec counters when I have the problem I see that packets are sent but they are never received on the other end....


Does anybody have a clue on what is happening?

I have installed tens of ASAs and only these two are giving me this problem.

BTW both ASA use the same Internet provider...


thanks in advance and regards

Giovanni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Patrick0711 Mon, 08/03/2009 - 19:07
User Badges:
  • Bronze, 100 points or more

I would suggest that you set up some type of VPN-specific logging to see what's going on when the problem occurs.


The following will enable VPN logging in the firewall buffer:


logging enable

logging buffer-size 4096

logging class vpn buffered informational


The following will send VPN messages to a server behind the firewall:


logging enable

logging timestamp

logging list vpn-list level debugging class vpn

logging trap vpn-list

logging host inside x.x.x.x



gbruna Tue, 08/04/2009 - 00:09
User Badges:

Thanks,

I added the logging commands and I'll see what happens: basically I have this problem every 16-17 hours.


Giovanni

gbruna Wed, 08/05/2009 - 06:18
User Badges:

Hello,

this morning I had the same problem: the tunnel was up since a day.

I have two ASA5505 one in the main office and one in a remote office.

Over the vpn tunnel I route two clabb B networks: 139.128.0.0/16 and 151.92.0.0/16.

From the attached logs I see that at 15:30 the ASa at the remote office successfully starts a new connection for 151.92.0.0/16 and nothing is done for net 139.128.0.0.

The result is that data for 151.92.0.0 is ok but no data is passing for 139.128.0.0. The ipsec SA is up but no data is received on both end..... and the only way to resume activity was to issue a "clear ipsec sa".

Any help would be highly appreciated as I'm really lost with this problem.


thanks in advance

Giovanni





Attachment: 
fabiossilva Fri, 09/11/2009 - 04:13
User Badges:

Hi Giovanni, I have the same problem with some clients.

The tunnel is up for some time.. and sometime the tunnel stop forwarding traffic and I need to clear ipsec end isakmp sa. The tunnel is still UP but it can't pass any traffic before I "reset" the tunnel.

Do you have any idea in how to solve this this problem? Seems to be a bug.


Best Regards,

Fabio

Actions

This Discussion