Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ASA VPN interruption

On a site to site vpn we have interruptions every 1-3 hour lasting for 5-10 seconds.

All applications connecting through this tunnel have to restart.

There are two Riverbeds in the VPN path,

the MTU size is 1380, the tcp options have been set in the global policy.

How can the i debug the ipsec connections to find the reason.

Greetings

Peter

2 REPLIES
Bronze

Re: ASA VPN interruption

Please confirm that the Interesting traffic is exactly mirrored on both End Points!

show crypto isakmp sa

show crypto ipsec sa

debug crypto engine

debug crypto isakmp

debug crypto ipsec

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#pix_dbgs

New Member

Re: ASA VPN interruption

Hello Peter,

The following command will allow you to view debug messages on the ASA for IPsec traffic:

debug crypto ipsec

The debug level would be of your choosing. Higher debug the more information you will see. You can also debug IKAKMP as well.

debug crypto isa

However, if you wish to debug this issue as it happens you would have to wait until it occurs while your debugging on the firewall. I don't think this would be ideal to simply wait until it occurs.

If you want, you could also enable logging to flash on the ASA for the vpn traffic which may provide some information as to why the tunnel went down.

Commands:

logging enable

logging buffer-size OPTIONAL

logging class vpn buffered informational

Has this issue recently appeared or has it been ongoing? Have you changed the time until the phase 1 and phase 2 SA's rekey? Do you know what the remote VPN rekey value is set? The IPsec tunnel will agree upon the lowest values for re-negotiation on the security-associations. What is the remote device your ASA is terminating the VPN tunnel to?

Hope this info helps!

159
Views
0
Helpful
2
Replies
CreatePlease to create content