Cisco Support Community
Community Member

IPSec VPN between ASA 5520 and an 861 - strange intermittent failure

We have about 20 861 routers connected to an ASA 5520 via IPsec site-to-site.  Generally speaking, all of these tunnels are working without issue and have been for several months.  The exception to this is that we have 3 locations giving us intermittent issues. 

Basically we tunnel a single static public IP (assigned to the 861--connected to the ISP) to the ASA.  Behind the 861 is a single privately addressed host (host A).  This host behind the 861 receives data from one of two privately addressed hosts behind the ASA (hosts B and C) at random intervals.  The hosts behind the ASA are on different but locally attached networks (e.g. 192.168.0 and 192.168.1).  Both hosts behind the ASA are the traffic initiators.  Host A never initiates--only receives.

Host B and C both NAT behind a public IP on the ASA when initiating to host A.  Host A is also NAT'd to the public IP on the 861.  We're essentially using just public IP space within these tunnels.

Without warning, suddenly host B is unable to contact host A.  The ASA simply logs a timeout.  As this is happening, host C is having no issue at all contacting host A.  This goes on until one of two things happen (from what I can tell):  1)  We bounce the tunnel or 2)  We see the message "Responder forcing change of IPSec rekeying from 28800 to 3600 seconds".  In either case host B can once again contact host A.

The other 17 locations have never experienced the issue.  It is just these 3 sites giving us a problem.  The configuration is identical for all of these tunnels.  We did just change the SA lifetime to match on both ends, but will not know if that has any impact until tomorrow.  The other sites are working just fine without us adjusting the SA lifetime.

Any ideas as to what might be going on?


CreatePlease to create content