Cisco ASA5520 IPSec site-to-site VPN: Black Hole ?

renaudbriois · ‎11-15-2010

Hello,

I have a VPN between two Cisco ASA 5520, this VPN encrypt several subnets.
Everything worked fine but since a couple of days, it seems the firewall doesn't want to encrypt anymore for one of these subnets
(no configuration changes have been made before)

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 528, #pkts decrypt: 528, #pkts verify: 528

I can successfully receive trafic from the other side, but my packets are not sent anymore
I checked on the internet and saw that it could be a IPSec "Black Hole", the workaroud is a reboot of the appliance.... i tried to reboot and my VPN was running again... with trafic in both sides...

Two days later, and it doesn't work anymore, still for the same VPN phase 2... this is the only VPN that have issue (i have 6 other VPN thats works fine)

I think i should upgrade my ASA os (currently 8.2.2), do you think 8.2.3 will solve that issue ?

Regards.

Jitendriya Athavale · ‎11-15-2010

yes it is a known issue sometimes what happens is the spi's are not deleted or sometimes they are pre maturely deleted, i think in your code it is the pre maturly deletedand usually what happens in this bug is that one subnet stops encrypting and a reboot fixes the problem. but unfortunately your asa is experiencing this behaviour quite often

you can upgrade to 8.2.3 and this should resolve the issue, but i would suggest you open a TAC case and ask TAC to publish 8.2.2. 21 which is th elatest in 8.2.2 range, it is pretty good. 8.2.3 is fairly new and you coud be exposed to lot of other bugs

my suggestion would be 8.2.2.21 but 8.2.3 should solve this issue if you are hitting the bug that i am thinking of