11-09-2016 02:17 AM - edited 03-05-2019 07:26 AM
Hi,
I have this situation : my company has multi site : 1 HO and 5 branch office.
each site has 1 Cisco ASA : HO ( ASA 5515 ) , other use 5515 , 5505 .
and HO connect to others site by VPN site to site .
recently , VPN down suddently , it go up when i reload the asa at HO.
do anyone face this issue and how to fix it ?
11-09-2016 04:26 AM
Hello,
when the VPN goes down, do you see anything in the logs ? The first thing to check is if the problem is either software-related (possible bugs) or ISP related. What versions are you running on the ASAs ?
When you reload the firewall, you also clear the ipsec peer. Next time you experience the problem, try to issue the command 'clear ipsec sa peer' and see if the VPN comes up again.
And last but not least, can you post the configurations of both ASAs ?
11-09-2016 05:22 PM
Hello,
when the VPN goes down , i saw this log like this :
Duplicate Phase 1 packet detected. Retransmitting last packet.
and
Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Next time i'll try the command " clear ipsec sa peer " , but is this the permanent solution ? .
because it happen frequently ( after 6days or more , it happened again ) , i guest somethings full ( memory , some table ..... ) , so is there any way to clear automatically ?
11-10-2016 01:05 AM
Hello,
the duplicate message packet indicates a connectivity or network issue, or some problem with the preshared keys.
Can you post the configs of the HO ASA and one of the 'problem' branch ASAs ?
11-10-2016 02:39 AM
Hello,
at that time the internet connection is working fine for both site .
and the preshare keys is the same at both site .
i will collect the configuration later , but can you guest some root cause ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide