×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA5510/SSG520 VPN Phase1 renegotiation problem

Unanswered Question
Jan 24th, 2012
User Badges:

Hey,


I have a problem with multiple VPN tunnels that I cannot figure out.


I have a IPSEC site-to-site vpn between a Cisco ASA5510 and a Juniper SSG520.


The VPN is up and running as expected exept when Phase 1 needs to be renegotiated.


When that happends (Every 24 hour) the Citrix clients looses connection to the Citrix server and the Outlook clients are reporting "Offline"


I have setup some ping jobs that shows that only 1 packet is lost during the Phase 1 renegotiation.


The users can connect to the servers afterwards without any problems but they are anoyed by this.


I have updated both firewalls to the newest firmware release without any luck.


Anyone have a clue as to how to get this fixed.


Before we changed to the ASA5510 we were using a Watchguard X700 firewall and what didn't have this problem.


Hope someone can shed some light on this.


Best Ragards

Martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rizwanr74 Tue, 01/24/2012 - 07:51
User Badges:
  • Gold, 750 points or more

Hey


by default phase one is valid for 24hrs.


Check when tunnel comes up which particular phase-one parameters are exchange and create a deplicate of that particular policy with a lifetime value of zero and same policy must exists on other side of the tunnel.


Try if that helps.



thanks

martinmadsen Tue, 01/24/2012 - 23:55
User Badges:

Thanks for your answer. I believe it isn't possible to create a Phase 1 that is unlimited in time and amount of data. At least ASDM tells me this isn't possible, I guess this is a safety precaution.


Anyway if I need to do some debugging on the ASA, what elements should I enable debugging on?


Thanks

Actions

This Discussion