Cisco ASA VPN site to site down suddently , go up by reload asa only

luonggiaduy · ‎11-09-2016

Hi,

I have this situation : my company has multi site : 1 HO and 5 branch office.

each site has 1 Cisco ASA : HO ( ASA 5515 ) , other use 5515 , 5505 .

and HO connect to others site by VPN site to site .

recently , VPN down suddently , it go up when i reload the asa at HO.

do anyone face this issue and how to fix it ?

Georg Pauwen · ‎11-09-2016

Hello,

when the VPN goes down, do you see anything in the logs ? The first thing to check is if the problem is either software-related (possible bugs) or ISP related. What versions are you running on the ASAs ?

When you reload the firewall, you also clear the ipsec peer. Next time you experience the problem, try to issue the command 'clear ipsec sa peer' and see if the VPN comes up again.

And last but not least, can you post the configurations of both ASAs ?

luonggiaduy · ‎11-09-2016

Hello,

when the VPN goes down , i saw this log like this :

Duplicate Phase 1 packet detected. Retransmitting last packet.

and

Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Next time i'll try the command " clear ipsec sa peer " , but is this the permanent solution ? .

because it happen frequently ( after 6days or more , it happened again ) , i guest somethings full ( memory , some table ..... ) , so is there any way to clear automatically ?

Georg Pauwen · ‎11-10-2016

Hello,

the duplicate message packet indicates a connectivity or network issue, or some problem with the preshared keys.

Can you post the configs of the HO ASA and one of the 'problem' branch ASAs ?

luonggiaduy · ‎11-10-2016

Hello,

at that time the internet connection is working fine for both site .

and the preshare keys is the same at both site .

i will collect the configuration later , but can you guest some root cause ?