Cisco ASA5520 IPSec site-to-site VPN: Black Hole ?
I have a VPN between two Cisco ASA 5520, this VPN encrypt several subnets. Everything worked fine but since a couple of days, it seems the firewall doesn't want to encrypt anymore for one of these subnets (no configuration changes have been made before)
I can successfully receive trafic from the other side, but my packets are not sent anymore I checked on the internet and saw that it could be a IPSec "Black Hole", the workaroud is a reboot of the appliance.... i tried to reboot and my VPN was running again... with trafic in both sides...
Two days later, and it doesn't work anymore, still for the same VPN phase 2... this is the only VPN that have issue (i have 6 other VPN thats works fine)
I think i should upgrade my ASA os (currently 8.2.2), do you think 8.2.3 will solve that issue ?
Re: Cisco ASA5520 IPSec site-to-site VPN: Black Hole ?
yes it is a known issue sometimes what happens is the spi's are not deleted or sometimes they are pre maturely deleted, i think in your code it is the pre maturly deletedand usually what happens in this bug is that one subnet stops encrypting and a reboot fixes the problem. but unfortunately your asa is experiencing this behaviour quite often
you can upgrade to 8.2.3 and this should resolve the issue, but i would suggest you open a TAC case and ask TAC to publish 8.2.2. 21 which is th elatest in 8.2.2 range, it is pretty good. 8.2.3 is fairly new and you coud be exposed to lot of other bugs
my suggestion would be 184.108.40.206 but 8.2.3 should solve this issue if you are hitting the bug that i am thinking of
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...