Site-to-Site Tunnel Drops intermittingly

Unanswered Question
Jun 15th, 2010
User Badges:

I currently have seven site-to-site VPN's configured.  With the exception of the 1 that I can control both sides of, they all drop intermitingly.

To simplify this question I want to focus on one of these tunnels.

My side is an ASA5520.

The other side is a Checkpoint Device.

The tunnel will drop approx. one a day though the time of day varies.

As a measure of network stability,one of the other tunnels has both endpoints using Cisco hardware, ASA5520 and a 2811 router. This tunnel has been up for several weeks.

I have confirmed to the best of my knowledge that the Phase 1 and Phase 2 timers both match.

Attached is a log snippet showing the rekey negotiations that always seems to precede the tunnel dropping.

Any thoughts would be appreciated.

I am attempting to capture additional debug data and will post when I do so.


After running 'debug crypto isakmp 254'  for several hours I captured 3 phase II rekeying events.  Neither caused the tunnel to drop.

However I did notice that they were occurring exactly 51 minutes apart even though the Phase II rekey duration timer is set to 60 minutes.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
TODD RIEMENSCHNEIDER Wed, 06/16/2010 - 09:08
User Badges:

I noticed that in your logs it states peer does not support keepalives. Could you have the checkpoint enable ike keep-alives or dead peer detection?

Wondering if that could help.

-Todd Wed, 06/16/2010 - 10:33
User Badges:


Thanks I did notice that as well and disabled keep alives on my side.  I am waiting to see if that makes a difference. Fri, 06/18/2010 - 08:42
User Badges:

After a false start with determing how to disable keepalives.

It was not enough to remove the config line that enabled them.  I had to specifically disable them.

That may have solved the problem.  I am hesitant to jinx it by saying that was the answer just yet but the tunnel has now been up for over 24 hours which is a record.

Thanks again.

slinzmeier Wed, 06/16/2010 - 16:15
User Badges:

Make these enties in the ASA 5505:

isakmp keepalive 10       

isakmp policy 20 authentication pre-share                                        

isakmp policy 20 encryption 3des                               

isakmp policy 20 hash md5                        

isakmp policy 20 group 2         

(should solve the problem)             


This Discussion