06-15-2010 01:34 PM
I currently have seven site-to-site VPN's configured. With the exception of the 1 that I can control both sides of, they all drop intermitingly.
To simplify this question I want to focus on one of these tunnels.
My side is an ASA5520.
The other side is a Checkpoint Device.
The tunnel will drop approx. one a day though the time of day varies.
As a measure of network stability,one of the other tunnels has both endpoints using Cisco hardware, ASA5520 and a 2811 router. This tunnel has been up for several weeks.
I have confirmed to the best of my knowledge that the Phase 1 and Phase 2 timers both match.
Attached is a log snippet showing the rekey negotiations that always seems to precede the tunnel dropping.
Any thoughts would be appreciated.
I am attempting to capture additional debug data and will post when I do so.
UPDATE:
After running 'debug crypto isakmp 254' for several hours I captured 3 phase II rekeying events. Neither caused the tunnel to drop.
However I did notice that they were occurring exactly 51 minutes apart even though the Phase II rekey duration timer is set to 60 minutes.
06-16-2010 09:08 AM
I noticed that in your logs it states peer does not support keepalives. Could you have the checkpoint enable ike keep-alives or dead peer detection?
Wondering if that could help.
-Todd
06-16-2010 10:33 AM
Todd,
Thanks I did notice that as well and disabled keep alives on my side. I am waiting to see if that makes a difference.
06-18-2010 08:42 AM
After a false start with determing how to disable keepalives.
It was not enough to remove the config line that enabled them. I had to specifically disable them.
That may have solved the problem. I am hesitant to jinx it by saying that was the answer just yet but the tunnel has now been up for over 24 hours which is a record.
Thanks again.
06-16-2010 04:15 PM
Make these enties in the ASA 5505:
isakmp keepalive 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
(should solve the problem)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: