We have 16 offices with a full mesh VPN (every office connects to every other office). Normally when we add a subnet to an office, we make the appropriate changes to the no nat ACL, the cryptomap ACL, and stop and start the cryptomap function. This has always worked.
Recently when we do this, the tunnel works for a while but after several hours stops passing 1 or more subnets 1 direction. We may see flapping tunnels on all subnets between two offices. In a recent incident, Office A/Subnet 1 could ping Office B/All Subnets, Office B/Subnet 1 could ping Office A/All subnets, Office B/subnet 2 could ping Office A/subnet 1 but Office B/Subnet 2 could not ping Office A/subnet 1.
A reload does NOT solve the flapping/subnet black hole but a hard power cycle does.
Is the PIX have problems processing the ACL because of the length? Do we need to move to turbo ACLs or is there some other issue?