We're using two PIX firewalls (506 and 515) between two sites to establish a tunnel. We have no problem getting the initial tunnel working, and traffic routes fine over said tunnel for the entire day. It seems as though the tunnel dies around the same time each night (~10:30PM), and cannot be re-established until the routes are removed on the 515 and re-built (where the smaller lab is forwarding all traffic, including internet, over the tunnel...ie. the 515 acts as a hub in our architecture). To add to the equation, the 515 has a pretty comprehensive routing table to handle this internet traffic (see below), sending it to an internal router, which then routes it to another firewall, and out to the internet.
We've tried manipulating different timeouts (xlate, conn, arp), reducing the size of the MTU to 1400, and changing the lifetime of the tunnel anywhere from 1000 seconds to 43200 (12 hours). The behavior seems to happen regardless of these changes.
The routes are as follows (with 184.108.40.206 being the internal router, and the specific 9.26.x.x subnets being our internal addresses):
This works perfectly for several hours, but as I said previously, dies once activity and traffic over the tunnel starts to decrease. Until these routes are flushed, it looks as if tunnel creation is attempted on the PIX's, but doing a 'show crypto isakmp sa' reveals that the PIX that initiates the tunnel remains in a MM_NO_STATE and the other PIX is in a MM_SA_SETUP state. As well, a 'show crypto ipsec sa' shows that nothing is being encrypted, and only send errors are showing.
Have you tried clearing the SA's and running a Debug IP Packet, whilst getting the Tunnel to re-establish. It could be you have an access-list that is stopping the traffic going to or from the other PIX to initiate the tunnel
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...