Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
829
Views
0
Helpful
0
Replies

What is needed between RESPONDER and INITIATOR

lchance
Level 1
Level 1

‎05-18-2011 12:28 PM

I have a new tunnel between two 5505s. The REPSONDER has a STATIC IP and the INITIATOR is DHCP.

Just recently this tunnel dropped and seems to have stopped passing IPSEC. It appears continuously trying to rekey.

The VPN light on the INITIATOR ASA sometimes is steady and then sometimes blinking.

This is at the RESPONDER site:

Result of the command: "show crypto isa sa"

   Active SA: 1
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: x.y.z.z
    Type    : L2L             Role    : responder
    Rekey   : yes             State   : MM_ACTIVE_REKEY
2   IKE Peer: x.y.z.z
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_REKEY_DONE_H2

And then at the INITIATOR end it has: MM_ACTIVE  

which comes and goes with the blinking of the VPN LED at the ASA front panel.

When the VPN LED is out it will have THERE ARE NO ISAMP SAS

What is needed to clear this and get IPSEC flowing again? The tunnel seems to be 'bouncing' now.

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents