Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN problem after internet disconnection

I made a VPN site 2 site connection using PIX515E on my side (not sure about device on other side). Today the VPN connection was down all the day. however i could ping the other site using the real IP using the firewall itself.

I had to clear the SA of ISAKMP and IPSEC in order to repair the problem. (clear crypto isakmp SA and clear crypto ipsec SA) So i wonder, what could be wrong ?

Both sites have similar config:



Hash: SHA-1

Diffie-Hellmann Group 2


IKE keepalive: No



Authent: esp-sha-hmac

PFS: no

SA lifetime: 3600sec, 4608000 kByte

I thought the devices themself should maintain the connection, refresh it on demand... However it seems like they're not doing so, anything i can do ?


New Member

Re: VPN problem after internet disconnection


the only thing you can do is to enable "isakmp keepalive". With this command the pix sends periodically an "Are you there" paket to check the isakmp state.

But this must be supported from the other side!

Another way is maybe to reduce the isakmp lifetime.

Regards, Celio

New Member

Re: VPN problem after internet disconnection

Thanks for your help, i will give it a try.

But isn't supposed that the connection to be maintained by firewall in some sort ? Maybe the problem is in the other side ? Why i should delete SAs ? is the problem in the first phase or second phase ? (from my config)