Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site Tunnel Drops intermittingly

I currently have seven site-to-site VPN's configured.  With the exception of the 1 that I can control both sides of, they all drop intermitingly.

To simplify this question I want to focus on one of these tunnels.

My side is an ASA5520.

The other side is a Checkpoint Device.

The tunnel will drop approx. one a day though the time of day varies.

As a measure of network stability,one of the other tunnels has both endpoints using Cisco hardware, ASA5520 and a 2811 router. This tunnel has been up for several weeks.

I have confirmed to the best of my knowledge that the Phase 1 and Phase 2 timers both match.

Attached is a log snippet showing the rekey negotiations that always seems to precede the tunnel dropping.

Any thoughts would be appreciated.

I am attempting to capture additional debug data and will post when I do so.

UPDATE:

After running 'debug crypto isakmp 254'  for several hours I captured 3 phase II rekeying events.  Neither caused the tunnel to drop.

However I did notice that they were occurring exactly 51 minutes apart even though the Phase II rekey duration timer is set to 60 minutes.

4 REPLIES

Re: Site-to-Site Tunnel Drops intermittingly

I noticed that in your logs it states peer does not support keepalives. Could you have the checkpoint enable ike keep-alives or dead peer detection?

Wondering if that could help.

-Todd

New Member

Re: Site-to-Site Tunnel Drops intermittingly

Todd,

Thanks I did notice that as well and disabled keep alives on my side.  I am waiting to see if that makes a difference.

New Member

Re: Site-to-Site Tunnel Drops intermittingly

After a false start with determing how to disable keepalives.

It was not enough to remove the config line that enabled them.  I had to specifically disable them.

That may have solved the problem.  I am hesitant to jinx it by saying that was the answer just yet but the tunnel has now been up for over 24 hours which is a record.

Thanks again.

New Member

Re: Site-to-Site Tunnel Drops intermittingly

Make these enties in the ASA 5505:

isakmp keepalive 10       

isakmp policy 20 authentication pre-share                                        

isakmp policy 20 encryption 3des                               

isakmp policy 20 hash md5                        

isakmp policy 20 group 2         

(should solve the problem)             

543
Views
0
Helpful
4
Replies