Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Site to site vpn after upgrading to 8.0(4)

Hi All,

We are having site-to-site vpn between US (Cisco ASA-5510) and india (netscreen).

Recently we have changed the ISP.

Therefore, we have changed the peer end IP after that we have upgraded the US end ASA from 7.2(3) to 8.0(4).

After this upgradation, we are facing every 4 plus hours the tunnel is going down and we have to refresh the tunnel afterwards it is coming up. We have not faced this issue when we are having image 7.2(3).

We checked by changing the lifetime at both the side but no luck.

On Cisco ASA,we have terminated 6 tunnel but for other tunnel we are not having any problem.

Could somebody suggest?




Re: Site to site vpn after upgrading to 8.0(4)

Have you try different threshold parameters in dead peer detection(DPD) statements if any at both ends of tunnel see if that helps, configure it under tunnel group attributes, just a suggestion.

hostname(config)# tunnel-group ipsec-attributes

hostname(config-tunnel-ipsec)# isakmp keepalive threshold 20 retry 2



Community Member

Re: Site to site vpn after upgrading to 8.0(4)

Thanks for the reply.

I had already enabled both sides isakmp keep alives.

Checked the entire Netpro froum and some engineers suggested:

1.disable IP compression under tunnel group.

2.i searched for bug using BUG tool(It will closely match to this CSCsv63354 Bug Details)

3.changed ISAKMP & IPSEC timings.

3rd step i had already tried regarding 1st and 2nd step some senior forum members must suggest to try.

Any other suggestion pl.



Cisco Employee

Re: Site to site vpn after upgrading to 8.0(4)


You have done some good timing calculation that is going to help you resolve the issue, I think.

Eventhough your main issue is tunnel going down, you bring up a good observation, that is tunnel going down every 4 hours. One thing that comes to my mind is ARP Default Timer, which is 4 hours. So, your issue may not be related to IPSEC Tunnel but ARP and Asymmetrical routing. Check your L2 and L3 connectivity to see if there is a chance that the ARP Entry times out after 4 hours and you do something that forces the L3 device to relearn the ARP Entry and forward traffic.



*Pls rate if it helps*

Community Member

Re: Site to site vpn after upgrading to 8.0(4)


Good point.

I am going to look into l2 and l3 connectivity and also Assmetrical routing.

I am unable to understand because We are facing this issue after upgradation to 8.0(4) but when we are having 7.2(3) no issue.



CreatePlease to create content