Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ASA L2L vpn ipsec sa timeout issue

We have a l2l vpn tunnel set up between two 5510s that are both running 7.2.4 code. Each side has two subnets (one for data and the other for voice) The tunnel is set up to allow all subnets to talk to each other. Periodically (every 45 min to 1 hour) two of the ipsec sa's drop out from the ASA at site A but do not drop out of the ASA at site B.

For example:

Data subnet at site A is /24 and voice subnet at site A is /24.

Data subnet at site B is /24 and voice subnet at site B is /24

When the ipsec sa's drop out the can still send traffic to and vice versa. can still send traffic to and vice versa.

However traffic ceases between and traffic also ceases between and

This wouldn't be an issue except the unity server sits on the data subnet at site A and whenever this occurs phones at site B cannot reach voicemail. No matter how many times the phones at site B call voicemail the ipsec sa doesn't reform to allow the traffic. However if we issue a ping from a device on the Site A data network to the voice network at site B the ipsec sa reforms on the site A ASA and then the phones at site B can call voicemail.

Currently we have a continuous ping set up from a pc on the data vlan at site A to the voice gateway on the voice subnet at site B. This appears to keep the tunnel up between the two subnets permanently as there is always interesting traffic.

does anyone have an idea on why this occurs or if not what we can do to keep the ipsec sa's from dropping out without a continuous ping running?



Re: ASA L2L vpn ipsec sa timeout issue


What are SA lifeteime set for Phase1 and Phase2? By default Phase 1 SA is 86400 seconds and Phase 2 SA is 3600 seconds.

Phase 2 SA are built inside Phase1 SA so Phase1 SA Lifetime should be greater than Phase 1 SA lifetime.

Is Phase2 SA lifetime < Phase1 SA lifetime ?

New Member

Re: ASA L2L vpn ipsec sa timeout issue

The lifetimes for both phase 1 and phase 2 are the defaults on both ASAs, so phase 1 lifetime is 86400 and phase 2 is 3600.

CreatePlease to create content