Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa# clear ipsec sa peer x.x.x.x - required after outage

We have more than one Cisco ASA 5500 series firewall appliance that exhibits this same unstable behavior.  This leads me to believe that there is a configuration problem somewhere.   After an internet outage occurs, the Cisco ASA requires certain site to site VPN tunnels to be reset , by clearing the security association.    After the following is entered, everything starts working fine again. 

asa# clear ipsec sa peer <remote peer ip>

Can anyone recommend a solution or direction?

Thanks,

Jay

Everyone's tags (4)
3 REPLIES

asa# clear ipsec sa peer x.x.x.x - required after outage

  securityappliance(config)# tunnel-group 10.165.205.222  ipsec-attributes

  securityappliance(config-tunnel-ipsec)#isakmp keepalive  threshold 15 retry 10

configure this way and see if makes any diffrence .

Thanks

Ajay

New Member

Re: asa# clear ipsec sa peer x.x.x.x - required after outage

Before I can make a change to the production environment, i must justify the decision.   For a site-to-site VPN, can you explain to me the logic of increasing the threshold & retry ?  How should this help the SA reestablish after a failure ?

From the Cisco Documentation:

The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.

For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.

New Member

asa# clear ipsec sa peer x.x.x.x - required after outage

Not sure if you've already got an answer but if one of the IPSEC peers drops unexpectedly due to a crash etc., other peer must be rebooted in order to form a new SA. Unless you let the IPSEC timer expire and form a new SA eventually.

15546
Views
0
Helpful
3
Replies
CreatePlease login to create content