I have a LAN-to-LAN tunnel set up between two PIXs, one a 515E running 7.0.4 and the other a 520 running 6.3.3. Periodically the tunnel will drop for about 15-20 minutes and then re-establish again. I cannot see any reason in the ipsec logging information of why this is happening. It seems to be a normal part of the IPSEC l2l process and therefore is not logged. The last time this happened I got the following information while doing a sh crypto isakmp sa:
C515-A# sh crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: x.x.x.x
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG6
It seems as though there is a timer somewhere that is expiring that drops the session on one side. Then the session on the other side times out and the session gets re-established. isakmp keep alives are disabled on both sides but it still does not good. I have tried this with keep alives enabled and still the same result. If anyone has seen this before, I would appreciate a fix. Thanks.