The EZVPN has been setup on ASA 5505 vpn back to hub ASA 5520 for awhile and it is working the way we wanted. It was setup as tunnel everything.
Recently, I made a change to split tunneling to allow servers out to internet. The connection is up and running but after 30 minutes or so no users able to connected to server behind the 5505. It should triggers the interesting traffic and build the connection but it did not. The crypto ISAKMP SA shows the connection active. To trigger the traffic, I have to go to 5505 and ping the ip address of users LAN.
The IPSEC lifetime was increase to 84600 seconds and on the hub side the vpn idle time out and vpn session time out were set to none and still no good.
I forgot to mention I also setup the sla monitor but it did not work even manually ping same device is response. When check the sla monitor it shown the lastest operation return code: timeout although the status is active.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...