We have 100+ IPSEC VPN tunnels configured out to remote locations. This is a new project - about six months old - and from the start, these tunnels would inexplicably drop. Many times they would just restore themselves - sometimes in a few minutes, other times in a few of days. We have had several cases where the tunnel drops, the interet still shows up after logging on to the provider's modem, but the only way to get them back up is to replace the provider's modem. Configuration and modem type exactly the same. Nothing appears to change on their end after the swap, but our tunnels immediately come up with the new "identical" modem. In all these cases, we have been able to login to the provider modem and confirm the internet connection shows up (and we can ping it from the public network). I.E. from telco's perspective, there is nothing wrong and it is working.
We get the following errors on the state of the connection while the tunnels are down (internet connection still good)
Branch-side ASA 5505 error on the tunnel: AM_TM_INIT_XAUTH_V6C
Core-side ASA 5510 error on the specific tunnel: AM_TM_INIT_MODECFG_V6H
Some research has turned up some information about possible fragmentation issues caused by telco making changes to their network. All of these problematic sites are over CenturyLink DSL. We have cable sites that have experienced no problems, so it does seem to point at CenturyLink. However, I've been around and around with them and can hopefully get more specific information here as to the cause and even more hopefully a resolution.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...