Do you have keepalives enabled on both sides? since the ip address of the "peer" changes (ADSL that nats) the VPN server should not be able to reach with DPD the old IP hence causing the tunnel to renegotiate. On the VPN Client this might not apply though but the headquarter renegotiating should make the client to do that too
Thank you very much for the reply! Yes, keepalives are enabled on the HQ ASA for the correct Tunnel Group (default 300sec for easyvpn). I suppose the branch ASA will inherit this setting because of easyvpn? I have also tried changing it to a lower value (e.g. 10 sec as in L2L), but it didnt make a difference. Even if no traffic at all is attempting to pass through the tunnel, in which case keepalives should definately be sent.
Is this a known issue if the ASA is behind an ADSL router with NAT?? If not I will try to set up the lab again with a clean configuration and do some more in-depth troubleshooting.
i have this senario with the asa5510 behind the adsl router in HO which does the static NAT. the clients using vpn clients can establish the vpn. but the problem is with the branch adslrouter877. i have configure it to use the ezvpn remote feature to connect to the asa. but it fails. any idea on this?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...