Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
0
Helpful
3
Replies

Site to Site VPN stops working after 6.45 hours.

administratorauravita
Level 1
Level 1

‎04-13-2012 03:26 AM

Hi

Hope someone will be able to assist me (a novice).

At present we are having a site to site VPN connection to a remote server location, uses : file transfer, sql replication etc. The current VPN is on a PIX 515 there is no problem with this.

Recently the management wanted to upgrade the fw to an ASA 5510. After configureing everthing seems to be working fine but after every 6.45 hours after the asa 5510 is connected the vpn connection drops, meaning there will be no replication, RPD when this happen I have to manually refresh the tunnel by navigating to (on asdm) :  Monitoring -->VPN-->Session-->Filter by IPsec site to site -->and click the log out button. I have maneged to track some logs when this happen please have a look at this and any comments are appreciated.

6|Feb 02 2012|10:13:34|602304|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x834C4BBD) between 0.0.0.0 and 0.0.0.0 (user= 217.x.x.x) has been deleted.

6|Feb 02 2012|10:13:34|602304|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x3030308E) between 217.x.x.x and 217.204.73.66 (user= 217.x.x.x) has been deleted.

5|Feb 02 2012|10:13:34|713120|||||Group = 217.6x.x.x, IP = 217.x.x.x, PHASE 2 COMPLETED (msgid=fb3ad227)

6|Feb 02 2012|10:13:34|602303|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0xBDADA056) between 217.204.73.66 and 217.x.x5.2x (user= 217.64.225.210) has been created.

5|Feb 02 2012|10:13:34|713049|||||Group = 217.x.x.x, IP = 217.x.x.2x, Security negotiation complete for LAN-to-LAN Group (217.x.2x.xx)  Initiator, Inbound SPI = 0xbdada056, Outbound SPI = 0x89fb9402

6|Feb 02 2012|10:13:34|602303|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x89FB9402) between 217.x.x.x and 217.x.x.x (user= x.x.x.2x) has been created.

6|Feb 02 2012|10:13:34|106015|healthe08|21101|10.x.x.xx|1433|Deny TCP (no connection) from heal8/21101 to 10.x.x.x/1433 flags ACK  on interface inside

6|Feb 02 2012|10:13:34|302014|10.x.x.x|1433|healthe08|21101|Teardown TCP connection 82111 for outside:10.x.x.x/1433 to inside:healthe08/21101 duration 0:00:00 bytes 3755 <snp_drop_none>

-------------------------------------------------------------.

From another date

5|Mar 15 2012|08:20:44|713120|||||Group = 217.x.x.xx, IP = 217.x.x.x, PHASE 2 COMPLETED (msgid=d9264a3a)

5|Mar 15 2012|08:20:44|713049|||||Group = 217.x.x.2x, IP = 217.x.x.x, Security negotiation complete for LAN-to-LAN Group (217.x.x.x)  Initiator, Inbound SPI = 0xfd92d96d, Outbound SPI = 0xcf7c9cf3

Thanks you.

Labels:
0 Helpful
3 Replies 3

mvsheik123
Level 7
Level 7

‎04-13-2012 04:09 AM

Hello,

Unless you have any specific time-out settings for this tunnel (both end devices), check...

1. Internet is not dropping.

2. try by reloading the ISP device connected to ASA end.

hth

MS

0 Helpful

administratorauravita
Level 1
Level 1
In response to mvsheik123

‎04-13-2012 05:00 AM

Hi..

There are no specific time-out settings and the internet does not drop its only the vpn.

Reloadin the ISP device : do you mean to reset or restart the router.

Thanks

0 Helpful

mvsheik123
Level 7
Level 7
In response to administratorauravita

‎04-13-2012 05:46 AM

Cold restart. Pull the plug, wait for 30sec and plug back in.

Thx

MS

0 Helpful
Customers Also Viewed These Support Documents