Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA-ISR VPN Tunnel up not traffic

Hi,

I have this strange issue:

ASA 5510 (8.31) at central site

Cisco 800 ISR at 2 branch locations (let call them site A and B)

One location has no VPN problems (site A), the other (site B) gets the tunnel up after both sites initiate traffic (e.g. ping). If  no traffic travels through the tunnel and the VPN times out, the connection is dropped. If I ping from the central site Phase 1 and 2 are both ok. TX counters increase but no reply from the other side. The only difference is that the router at site A is behind a NAT-device and site B is connected directly to the internet.

The ASA is a replacement for an Astaro Firewall which had no problems withe the s2s VPN to both sites. I'm a bit puzzled at the moment because I've been through all the settings and everything seems ok. The tunnel works but only after a manual action at both sites.

I will add configs later but I doubt there's something in it which is missing.

Thanks in advance if you have any thoughts on this.

Regards,

Marcel.

P.S. the ASA hasn't had a reboot since it was brought up and running, maybe........

3 REPLIES
Bronze

Re: ASA-ISR VPN Tunnel up not traffic

Hi,

You could try using ISAKMP keep alives not keep the tunnel up all the time.

Information about configuring keepalives is provided in the hyperlink below,

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution07

Cheers,

Nash.

New Member

Re: ASA-ISR VPN Tunnel up not traffic

Thx for the reply.

One question; are keepalives by default disabled or enabled on an ISR ? In the current config they are not configured on the ISR.

On the ASA they are still enabled but before I start changing too much maybe you could give me some info on this.

TIA

New Member

Re: ASA-ISR VPN Tunnel up not traffic

The ISR didn't have Keepalive configurred so I added them there. Now the stange thing is. If I disconnect the tunnel and it is immediately up again and without any manual intervention at both sides packets flow through the tunnel (that was yesterday). Today. The old situation again...... :-( At the ASA tx is counting upwards, rx is still at zero.

I have attached 3 logs from the ASA

AAA.AAA.AAA.AAA is the remote site

BBB.BBB.BBB.BBB is the ASA

XXX.XXX.XXX.XXX is the other remote site

I'm out of options

In Short:

1 ASA

2 routers

1 failing VPN, 1 working

PHASE 1/2 no problem

Tunnel up

Tx : yes, Rx : No

Situation was working with old Firewall (Astaro)

599
Views
0
Helpful
3
Replies