I have multiple (let's say about 50) remote sites which have an ASA 5505 at them connecting via a ipsec vpn connection back to our main office. Most of the time, these connections work great, but it seems like within the span of about 1 week, at least 4 or 5 require either a reboot or the command "ipsec reset sa peer x.x.x.x" to be run to re-establish the vpn tunnel. Now, this is more of a nuisance than a real problem because they always come back up, but my employer would like to know if there is a way to minimize these issues. Here are some details and my thoughts:
Remote sites each have a 5505, running various OS versions, but none too terribly old. They connect back to HQ using either a DSL or cable modem connection.
HQ ASA is a 5520 in a failover pair. It is running ASA version 8.0(3) and ASDM version 6.0(3) and has a good 'net connection.
All have static IP's and in every case, there is no known issue with the network connections, just a loss of the vpn tunnel.
My gut instinct is to upgrade the remote ASA's to the same ASA firmware version as the HQ ASA. I expect that we will still encounter some times when we will need to reset the VPN tunnel, but I would expect that they would be fewer if the OS versions matched than now. I think the likely culprit is the instability of cable modem and DSL connections.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...