I have a VPN tunnel from an ASA 5500 running 8.0.4 to a Nortel Contivity device. Periodically the tunnel will just stop passing traffic (do not see encap or decap numbers increasing) but the tunnel will still be up. After a clear crypto ipsec on the peer the tunnel will reestablish and everything will be fine again. Actually it is only 2 SAs within the tunnel that stop passing traffic. One thing I do see different on them is that the SA that keeps working the whole time has lifetime listed as just sec but the SAs that stop passing traffic have lifetime listed as KB/Sec. Not sure why different SAs to the same peer (and in the same crypto map) are negotiating differently. The crypto map statement has both kb and sec lifetimes specified. We have several other tunnels on this ASA and only have this issue on this one - however I think this may be the only Nortel Contivity we have a tunnel to.
Onbiously we would prefer not to have to reset the tunnel periodically so any suggestions on what might be causing some SAs in the tunnel to "freeze" would be appreciated.
Can you please share the config - Phase 1 and Phase 2 parameters of both the devices?
Have you checked the Lifetime on both devices? The default lifetime value on ASA for Phase 1 is 86400 sec which is 24 hours and for Phase 2 is 28800 sec which is 8 hours. Make sure you have the same configured on the Nortel device also.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...