Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA5510/SSG520 VPN Phase1 renegotiation problem

Unanswered Question
Jan 24th, 2012
User Badges:


I have a problem with multiple VPN tunnels that I cannot figure out.

I have a IPSEC site-to-site vpn between a Cisco ASA5510 and a Juniper SSG520.

The VPN is up and running as expected exept when Phase 1 needs to be renegotiated.

When that happends (Every 24 hour) the Citrix clients looses connection to the Citrix server and the Outlook clients are reporting "Offline"

I have setup some ping jobs that shows that only 1 packet is lost during the Phase 1 renegotiation.

The users can connect to the servers afterwards without any problems but they are anoyed by this.

I have updated both firewalls to the newest firmware release without any luck.

Anyone have a clue as to how to get this fixed.

Before we changed to the ASA5510 we were using a Watchguard X700 firewall and what didn't have this problem.

Hope someone can shed some light on this.

Best Ragards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rizwanr74 Tue, 01/24/2012 - 07:51
User Badges:
  • Gold, 750 points or more


by default phase one is valid for 24hrs.

Check when tunnel comes up which particular phase-one parameters are exchange and create a deplicate of that particular policy with a lifetime value of zero and same policy must exists on other side of the tunnel.

Try if that helps.


martinmadsen Tue, 01/24/2012 - 23:55
User Badges:

Thanks for your answer. I believe it isn't possible to create a Phase 1 that is unlimited in time and amount of data. At least ASDM tells me this isn't possible, I guess this is a safety precaution.

Anyway if I need to do some debugging on the ASA, what elements should I enable debugging on?



This Discussion