I have a Cisco ASA 5520 at Headoffice - and third party devices at branch offices. VPNs are configured such that traffic is only defines at Branch office end, at ASA crypto map - Traffic is defined as any to any. This is to avoid creating configs over and over again at ASA side when adding new sites, so that it can reuse existing policies and crypto maps.
But i have noticed for some VPNs - Users are unable to ping a server in any specific range say - 192.X.X.X. if i restart the tunnel or device at branch office its again accessible.
Is there anything that its idle timing out or any config i need to change.
If i am not clear VPN at branch site has lets say few subnets defined:
while others keep on working 192 or 172 or any one goes missing while others are still there. So it drops only subnet not the whole n/w. I think its dropping rarely used ones. When i logon from ASDM and monitor VPN - it doenst show all subnets. ASA drops VPN to those subnets.
Unfortunately you can't have "permit ip any any" for the crypto ACL for all peers/tunnels, as the unique crypto ACL defines which peer/tunnel the encrypted tunnel should be sent to. Hence you can't have overlapping subnets for each VPN peer. Native IPSec VPN is not routing base unfortunately, that's why you would need to define the exact subnets to identify which tunnel/peer to encrypt and send the traffic to, as the IPSec SA is created based on that.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...