Hello,

Please find the below deatil

1. 5540 8.2(5)26 <---->9.1(4)

2.it happens only for this tunnel rest is working fine.

3.configuration part for asa running version 9.1

object-group network net-KULS
 network-object 10.160.48.0 255.255.255.0

object-group network net-Mattel
 network-object 153.12.0.0 255.255.0.0
 network-object 156.20.0.0 255.255.0.0
 network-object 10.16.7.20 255.255.255.255
 network-object host 10.16.7.21
 network-object host 156.20.201.139
 network-object host 10.17.4.218
 network-object host 10.36.4.87
 network-object host 153.12.49.10

access-list ACL_GWMLY-MATTEL_L2L extended permit ip object-group net-KULS object-group net-Mattel 

access-list inside_nat0_outbound extended permit ip object-group net-KULS object-group net-Mattel 

nat (inside,any) source static net-KULS net-KULS destination static net-Mattel net-Mattel no-proxy-arp route-lookup

crypto ikev1 enable outside

crypto ikev1 ipsec-over-tcp port 10000 
crypto ikev1 policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800

crypto ikev2 enable outside

crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400 

crypto isakmp identity address 
no crypto isakmp nat-traversal

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 ikev1 pre-shared-key *********

crypto map outside_map 8 match address ACL_GWMLY-MATTEL_L2L
crypto map outside_map 8 set peer x.x.x.x
crypto map outside_map 8 set ikev1 transform-set ESP-3DES-SHA

running configuration of asa running software version 8.2

object-group network Geodis_Wilson_WMS_Local
 network-object host 156.20.51.83
 network-object host 156.20.201.139
 network-object host 10.16.7.20
 network-object host 10.16.7.21
 network-object host 10.17.4.218
 network-object host 10.36.4.87
 network-object 10.36.7.0 255.255.255.0

object-group network Geodis_Wilson_WMS_Remote
 network-object host 153.12.49.11
 network-object host 10.160.48.11
 network-object host 10.160.48.17
 network-object host 10.160.48.222

access-list outside_cryptomap_10 extended permit ip object-group Geodis_Wilson_WMS_Local object-group Geodis_Wilson_WMS_Remote

access-list nonat extended permit ip host 156.20.201.139 host 10.160.48.17 
access-list nonat extended permit ip host 10.16.7.20 host 153.12.49.76 
access-list nonat extended permit ip host 10.16.7.20 host 10.160.48.17
 
static (inside,outside) 156.20.53.65 10.16.7.20 netmask 255.255.255.255
static (outside,inside) 153.12.49.76 10.160.48.17 netmask 255.255.255.255

crypto isakmp enable outside

crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y general-attributes
 default-group-policy Geodis_Wilson
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 60 retry 5

group-policy Geodis_Wilson internal
group-policy Geodis_Wilson attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec

crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer y.y.y.y 
crypto map outside_map 10 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

working source and destination ip is highlighted in bold above, so I have just nat-exempt for these IPs only.

and one more thing its not for 10 hours, even tunnel remain idle for 2 or 3 hours traffic doesn't pass , I try to initiate interesting traffic but encaps and decaps shows 0 until and unless i doesn't teardown the tunnel and initiate the interesting traffic after this.

your configuration looks good other than few things.

under Firewall configuration running 9.1

In the phas2 you are using  life time is set to 28800

when checked on the other firewall running 8.2

in the phase 2 you are using lifetime of 86400 which is default
try to match both the life time and see if the problem gets resolved.

In my understanding Both IKE & Ipsec connection has limited lifetime, we can describe it as both time (seconds) and data (Kilobytes), try to change the life time and try it out and let us knwo the result.

I have attached the debug log 

tunnel was idle for some time,enacps & decaps were 0 but tunnel was up.

1. debug log before tearing down the tunnel.

2. debug log after tearing down the tunnel.

Hey did you get a chance to set the lifetime of both the firewall and check ?

Yes, change the life time for asa running 8.2 from 86400 to 28800, but issue is still there.

I have uploaded the debug logs, have you found anything with that logs.

Hey ,

from the debug not much information i could find.

when the issue is happening can you please perform packet-capture so that we can understand were is the packet getting dropped.

packet-tracer input inside tcp S.S.S.S 80 D.D.D.D detailed

S= Source

D=Destination

and please paste the output.

Also please let us know if the tunnel is build between two host and if it is two host what kind of traffic is passing between these host.

its line printer remote (LPR) and ICMP packet.

Hey Vinay,

 you are always welcome to paste your firewall/ devices configuration.

it is always good for you if you do not share or try to hide your Public Ips and Preshared keys.

you need to understand that, this is an  opening support forum and anyone can do anything on your devices if you give the valuable information.

give cautions!

Thank you 

Shine