Looking through similar posts, I have not found a solution for this particular problem:
I have a remote location with 857 and (C850-ADVSECURITYK9-M), Version 12.4(6)T5 and a CO location with 5520 and Software Version 7.1(2) connected through the Internet by IPSec tunnels.
ACLs that define interesting traffic on both sides include 3 subnets that should be accessible behind ASA's inside interface: 172.16.0.0/16 192.168.105.0/24 and 192.168.3.0/24
The configs are included in attachments. The whole thing works, network behind the remote 857 sees the 3 subnets in CO and vice versa, until at some point ASA decides that it does not like one of the defined subnets and starts tearing down connections between it and the remote network. For example, today it decided it no longer likes connections between 192.168.223.0 (remote) and 192.168.105.0 (behind inside interface) networks, while the connections to 172.16.0.0 and 192.168.3.0 keep working fine. That's after a year of normal operation.
We've had such an issue at several remote locations already and it comes down to no matter what you do - kill SAs, remove and rebuild crypto maps, reload the remote end.. nothing helps until you reload the ASA. You reload the ASA and whoom! it works again. All networks defined are allowed to pass.
Since the communication is business critical, I would very much like to solve the problem without having to reload the central ASA every time it suddenly decides to stop passing traffic between one of the 3 critical subnets and a remote network.
I'd like to note that, overall, the configs work fine. At times when the ASA starts dropping networks, no new access-lists or configurations are added to it.
The only reason I ask is because I had a lot of strange problems happen after my primary active ASA had failed over to the secondary standby. I didn't notice and for a while it was the secondary one that was running as active. I had a lot of strange problems with VPNs and once I had reverted the devices back to the correct setup they went away.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :