Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Another L2L issue with ASA

Looking through similar posts, I have not found a solution for this particular problem:

I have a remote location with 857 and (C850-ADVSECURITYK9-M), Version 12.4(6)T5 and a CO location with 5520 and Software Version 7.1(2) connected through the Internet by IPSec tunnels.

ACLs that define interesting traffic on both sides include 3 subnets that should be accessible behind ASA's inside interface: 172.16.0.0/16 192.168.105.0/24 and 192.168.3.0/24

The configs are included in attachments. The whole thing works, network behind the remote 857 sees the 3 subnets in CO and vice versa, until at some point ASA decides that it does not like one of the defined subnets and starts tearing down connections between it and the remote network. For example, today it decided it no longer likes connections between 192.168.223.0 (remote) and 192.168.105.0 (behind inside interface) networks, while the connections to 172.16.0.0 and 192.168.3.0 keep working fine. That's after a year of normal operation.

We've had such an issue at several remote locations already and it comes down to no matter what you do - kill SAs, remove and rebuild crypto maps, reload the remote end.. nothing helps until you reload the ASA. You reload the ASA and whoom! it works again. All networks defined are allowed to pass.

Since the communication is business critical, I would very much like to solve the problem without having to reload the central ASA every time it suddenly decides to stop passing traffic between one of the 3 critical subnets and a remote network.

I'd like to note that, overall, the configs work fine. At times when the ASA starts dropping networks, no new access-lists or configurations are added to it.

2 REPLIES
New Member

Re: Another L2L issue with ASA

Is the ASA device part of a failover pair?

The only reason I ask is because I had a lot of strange problems happen after my primary active ASA had failed over to the secondary standby. I didn't notice and for a while it was the secondary one that was running as active. I had a lot of strange problems with VPNs and once I had reverted the devices back to the correct setup they went away.

Thanks

New Member

Re: Another L2L issue with ASA

No, it is not...

Thank you for replying

121
Views
0
Helpful
2
Replies
CreatePlease to create content