Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA stops encrypt/decrypt in site to site vpn

hi,

 

i have  5 branch office and 1 head office . i am using 8.6 version in HO and 8.2 version in other  branch firewall. a lot

of time i found VPN stop decrypt/encrypt packets.then i use packet tracer to allow then vpn start work automatically. please tell is there bug in 8.6 version

asa. if bug which version we should go for upgrade

 

regards

rajat

7 REPLIES
New Member

HI, please help me to resolve

HI,

 

please help me to resolve this.

 

regards

rajat

Cisco Employee

Hi,Are these all ASA devices

Hi,

Are these all ASA devices between which you have the L2L tunnels ?

Also , have you verified the IPSEC Timeout , Keepalive messages and DPD settings on both the ends ?

Thanks and Regards,

Vibhor Amrodia

 

New Member

yes it is samesuddenly

yes it is same

suddenly traffic stops between L2L tunnel then i need to run packet tracer

then traffic start

i identified this bug CSCun66613 in 8.6 version in open caveats but i did not find in which version this caveat is resolved .

 

we are running 8.6 version . which version you recommend for upgrade and branch location we are running 8.2 version

 

regards

rajat

Cisco Employee

Hi,I am not sure if this

Hi,

I am not sure if this would be the case in your issue as you run a packet tracer to get it working again.

We have some defects on this code but in them packet tracer also should not resolve the issue. I still think it has something to do with the IPSEC lifetime timer mismatch or DPD as the packet tracer will refresh this timer and this resolves the issue for you.

Thanks and Regards,

Vibhor Amrodia

New Member

hi, i checked life timer

hi,

 

i checked life timer configured 86400 at all end. i still do no know how to resolve wehther to go for IOS upgrade. id we go for IOS upgrade then which IOS

 

regards

rajat

Cisco Employee

Hi,You can check this for

Hi,

You can check this for more information:-

https://supportforums.cisco.com/document/32546/dead-peer-detection

Also , an upgrade to ASA 9.x code should be fine.

Thanks and Regards,

Vibhor Amrodia

New Member

hi, actually intra vpn is

hi,

 

actually intra vpn is also configured  between head office and branch location.

head office to branch vpn ping works fine bur branch to branch vpn via head

office

the ping response between branch to branch location suddenly stops. then we run packet tracer by taking source of one branch location and destination  of other branch location.

 

that is problem we are actually facing.please suggest your best . i appreciate for your all responses.

 

regards

rajat

163
Views
0
Helpful
7
Replies