Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Random loss of VPN Connectivity

Good morning,

I've configured a VPN between 2 offices using two ASA 5505 v. 7.2(4) via IPSec

The problem is that randomly the VPN connection drops. It can be working fine for hours and then fail, while the rest it is working fine (internet)

The solution comes by reloading the system which will always work and the connection is back again.

The IkE is using 3Des encription, pre-share authentication and 86400secs lifetime.

I don't really know what to check, or how to monitor it. I have been using the ASDM monitoring tools to check the Ipsec/IKE connections, but obviously cannot determine what is causing the problem or how to start troubleshooting it.

At this point, I am using a ping that continously pings a remote computer, and when it fails, I receive a mail.

Thank you for your help!


Hall of Fame Super Silver

Re: Random loss of VPN Connectivity


There are several things that might produce the symptoms of random loss of VPN connectivity. When I hear some talk about loss of VPN connectivity, one of the first things that I think about is that Security Associations (might be ISAKMP or might be IPSEC) have expired (this is a normal event) and not have been re-negotiated (this would be the not normal part of the problem). Can you check and verify whether the continuous ping traffic is part of what is permitted in the ACL that defines interesting traffic for the VPN? If the ping is interesting traffic then that should take care of re-negotiating the SAs and the problem is something else.

When the problem happens and before you reload can you check on a few things:

- can you verify that there is IP connectivity between the ASAs? Can you ping from one ASA to the peer address of the other ASA?

- can you check the logs of the ASA for any event happening recently that might impact the VPN?



Re: Random loss of VPN Connectivity

Hi Robert,

In addition to Richard's suggestion,

1. Make sure both sides can initiate the traffic to bring up the VPN tunnel.

2. If there is no IP connectivity problem when the issue happens, you might capture the following two show commands

show cry isa sa

show cry ipsec sa

3. The following two debugs is very helpful.

- debug cry isa

- debug cry ipsec

You can leave the above two debugs on and redirect the output to a syslog server like following.

- logging debug-trace
- logging message 711001 level 0
Then log at least at level 0 or higher to the syslog server

logging trap 0

logging host interface_name syslog_ip

The debug output should provide more info to find out what happens.


New Member

Re: Random loss of VPN Connectivity

Thanks a lot for all the recomendations.

It is working fine at the moment, will wait till crash to do the test.



New Member

Re: Random loss of VPN Connectivity

Good morning!

Sorry for the delay, I have been doing more tests, and seems that the problem was being caused by my static NAT rule. I deleted it and worked fine for 1 week. Now if I try to add the Static NAT rule get this message:

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

So I need to figure out how to manage my other VPN to work

Thank you guys for your help