Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-site VPN intermittent disconnects

We are having connection issues between two sites.  Each sites houses an ASA5510 and is connected via a site-to-site tunnel.  The tunnel seems to drop randomly throughout the day.  Sometimes it take only 3 hours, other times it takes several days.  This issue interferes with our backup jobs since they tend to fail when the tunnel is dropped.  On one of the ends, we noticed the following logs (there were a lot more but I felt these were most important)

 

2014-09-11 02:46:32 Local4.Error 192.168.2.2 %ASA-3-713123: Group = 1.1.1.1, IP = 1.1.1.1, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

2014-09-11 02:46:32 Local4.Notice 192.168.2.2 %ASA-5-713259: Group = 1.1.1.1, IP =1.1.1.1, Session is being torn down. Reason: Lost Service

 

Any ideas/suggestions? If additional information is needed about our environment, please let me know.

7 REPLIES
New Member

Did you set the lifetime

Did you set the lifetime option in crypto map instruction ?

New Member

Yes, it has a SA lifetime of

Yes, it has a SA lifetime of 3600 seconds on both ends

New Member

Can you execute the show vpn

Can you execute the show vpn-sessiondb detail l2l command on ASA and verify the Idle Time Out, Rekey Int (T), Rekey Int (D) parameters ?

New Member

On both ASA's:Rekey Int (T):

On both ASA's:

Rekey Int (T): 3600 seconds

Rekey Int (D): 102400000 K-Bytes

New Member

Can you insert the following

Can you insert the following instruction :

tunnel-group <name> ipsec-attributes
 isakmp keepalive disable
 

New Member

I was thinking of enabling

I was thinking of enabling this on the tunnel, however we have a primary and backup interface being monitored via SLA.  If I was to disable the keepalive on the primary tunnel, would that fail to establish a new tunnel on the backup interface if the primary goes down?  

New Member

Which ASA would I need to

Which ASA would I need to apply this on?  

555
Views
15
Helpful
7
Replies
CreatePlease login to create content