VPN stops sending data even though tunnel remains up
We have an ASA 5510 talking to a client's Nortel device. We are sending data over a VPN connection between the two devices 24/7. Twice a day the tunnel stops sending data, and you can no longer ping over the tunnel. The tunnel is still up during this time, and my syslog shows no timeouts in ISAKMP or IPSec during this time. I issue the clear crypto ips sa peer command and the tunnel drops and re-establishes. After doing this, pings are immediately successful. Both the client tech and I have reconfigured everything on both sides making sure that we are matching exactly. We are also both using the host address, not network on one side host on the other (which I know can cause issues). Has anyone run across this? Any ideas on what to do to fix it?
Re: VPN stops sending data even though tunnel remains up
If the IPsec VPN tunnnel has failed within the IKE negotiation, the failure can be due to either the PIX or the inability of its peer to recognize the identity of its peer.When two peers use IKE to establish IPsec security associations, each peer sends its ISAKMP identity to the remote peer. It sends either its IP address or host name dependent upon how each has its ISAKMP identity set. By default, the ISAKMP identity of the PIX Firewall unit is set to the IP address. As a general rule, set the security appliance and the identities of its peers in the same way to avoid an IKE negotiation failure.
For the further assistant following URL may help you in troubleshooting
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :