We've got an ASA 5520 working as an endpoint for multiple vpn l2l tunnels. It initially had version 7.2 loaded but we have since downgraded to 7.1(2). However in both versions we are experiencing a problem whereby the box will occasionally begin denying traffic across already established tunnels with no reason. The logs always show 'deny inbound, flags syn on interface outside' messages. Additionally it usually cascades to eventually include all traffic on all tunnels.
I have also found that if I manually reset one of our tunnels this kick starts the above problem across all other tunnels. The only resolution I have found so far is to logout all l2l sessions. They immediately reform and the traffic starts to pass normally.
Looking through the bug database I cannot find this exact problem and the few that might be similar report as being resolved. Is there a stable firmware version out there yet or are they all somewhat buggy?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...