cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
0
Helpful
4
Replies

Site-to-Site Tunnel Drops intermittingly

dprice
Level 1
Level 1

I currently have seven site-to-site VPN's configured.  With the exception of the 1 that I can control both sides of, they all drop intermitingly.

To simplify this question I want to focus on one of these tunnels.

My side is an ASA5520.

The other side is a Checkpoint Device.

The tunnel will drop approx. one a day though the time of day varies.

As a measure of network stability,one of the other tunnels has both endpoints using Cisco hardware, ASA5520 and a 2811 router. This tunnel has been up for several weeks.

I have confirmed to the best of my knowledge that the Phase 1 and Phase 2 timers both match.

Attached is a log snippet showing the rekey negotiations that always seems to precede the tunnel dropping.

Any thoughts would be appreciated.

I am attempting to capture additional debug data and will post when I do so.

UPDATE:

After running 'debug crypto isakmp 254'  for several hours I captured 3 phase II rekeying events.  Neither caused the tunnel to drop.

However I did notice that they were occurring exactly 51 minutes apart even though the Phase II rekey duration timer is set to 60 minutes.

4 Replies 4

I noticed that in your logs it states peer does not support keepalives. Could you have the checkpoint enable ike keep-alives or dead peer detection?

Wondering if that could help.

-Todd

Todd,

Thanks I did notice that as well and disabled keep alives on my side.  I am waiting to see if that makes a difference.

After a false start with determing how to disable keepalives.

It was not enough to remove the config line that enabled them.  I had to specifically disable them.

That may have solved the problem.  I am hesitant to jinx it by saying that was the answer just yet but the tunnel has now been up for over 24 hours which is a record.

Thanks again.

slinzmeier
Level 1
Level 1

Make these enties in the ASA 5505:

isakmp keepalive 10       

isakmp policy 20 authentication pre-share                                        

isakmp policy 20 encryption 3des                               

isakmp policy 20 hash md5                        

isakmp policy 20 group 2         

(should solve the problem)             

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: