VPN tunnel between 2 ASa aprtially stops working

Unanswered Question
Aug 3rd, 2009

Hello,

I have configured a L2L tunnell between two ASA5505 running version 7.2(4) and I have this strange problem:

the tunnel is up and stable and I route 4 networks over the tunnel but every 2-3 days the tunnel stops forwarding traffic on one of the four networks (never the same network) and the only way to recover is to issue a:

clear ipsec sa on one of the two ASAs.

Looking at the ipsec counters when I have the problem I see that packets are sent but they are never received on the other end....

Does anybody have a clue on what is happening?

I have installed tens of ASAs and only these two are giving me this problem.

BTW both ASA use the same Internet provider...

thanks in advance and regards

Giovanni

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Patrick0711 Mon, 08/03/2009 - 19:07

I would suggest that you set up some type of VPN-specific logging to see what's going on when the problem occurs.

The following will enable VPN logging in the firewall buffer:

logging enable

logging buffer-size 4096

logging class vpn buffered informational

The following will send VPN messages to a server behind the firewall:

logging enable

logging timestamp

logging list vpn-list level debugging class vpn

logging trap vpn-list

logging host inside x.x.x.x

gbruna Tue, 08/04/2009 - 00:09

Thanks,

I added the logging commands and I'll see what happens: basically I have this problem every 16-17 hours.

Giovanni

gbruna Wed, 08/05/2009 - 06:18

Hello,

this morning I had the same problem: the tunnel was up since a day.

I have two ASA5505 one in the main office and one in a remote office.

Over the vpn tunnel I route two clabb B networks: 139.128.0.0/16 and 151.92.0.0/16.

From the attached logs I see that at 15:30 the ASa at the remote office successfully starts a new connection for 151.92.0.0/16 and nothing is done for net 139.128.0.0.

The result is that data for 151.92.0.0 is ok but no data is passing for 139.128.0.0. The ipsec SA is up but no data is received on both end..... and the only way to resume activity was to issue a "clear ipsec sa".

Any help would be highly appreciated as I'm really lost with this problem.

thanks in advance

Giovanni

Attachment: 
fabiossilva Fri, 09/11/2009 - 04:13

Hi Giovanni, I have the same problem with some clients.

The tunnel is up for some time.. and sometime the tunnel stop forwarding traffic and I need to clear ipsec end isakmp sa. The tunnel is still UP but it can't pass any traffic before I "reset" the tunnel.

Do you have any idea in how to solve this this problem? Seems to be a bug.

Best Regards,

Fabio

Actions

This Discussion