Link to home
Start Free TrialLog in
Avatar of jplagens
jplagensFlag for United States of America

asked on

ASA 5505 site to site tunnel disconnects and won't recreate or pass traffic

I am having strange issues with a couple of ASA 5505's.  I have a site to site tunnel connecting two ASA 5505s.  At first the tunnel will come up and pass traffic for a short period of time then quit if someone is not actively on it.  Once the tunnel breaks you can ping across and the tunnel will come back up but it will not pass traffic.  I have to completely strip out the VPN config and put it back in for traffic to pass again.  

It seems to be getting worse.  Now if Site A pings first it will establish the tunnel (MM_ACTIVE) but no traffic will pass.  If Site B pings first it will not bring up the tunnel at all.  I get MM_WAIT_MSG4.  Which is basically saying it's waiting on Site A to send the keys from my understanding.

I have poured over this website and the web trying to figure out what is going on, but no luck so far.  I desperately need some help with this.   I'm not seeing how it worked briefly with this config and now it won't do anything.  Nothing has been changed on either end of the tunnels.

If Site A pings first:
SiteA:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 71.xxx.xxx.233
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

SiteB:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 66.xxx.xxx.18
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Traffic will not pass.

If Site B pings first:
Site B:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 66.xxx.xxx.18
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG4

SiteA:
Nothing


SiteA.txt
SiteB.txt
Avatar of ricks_v
ricks_v

I've gone through the config and found no errors for lan2lan vpn.

The only possibility that the asas are still holding some old ipsec info.

Im not sure if you have done this, but try clearing tunnels anyway at both ends by using

Site A
#clear ipsec sa peer 71.xxx.xxx.233
#clear isakmp sa

Site B
#clear ipsec sa peer 66.xxx.xxx.18
#clear isakmp sa


agree with ricks v, his post is the accepted method for clearing the sa's when the tunnel drops. You also might try  removing the crypto maps using the "no" form to remove the crypto statements. You can use notepad to minimize typing.

Also, check your key lifetime   default is 86400 seconds  (24 hours) and make sure they match in both peers. If these are not identical, the shorter lifetime is used.


asa(config)# isakmp policy (policy#) lifetime 86400


also configure isakmp keepalives, if not already configured. it will prevent sporadically dropped tunnels.

asa(config)# tunnel-group   [ip address name of tunnel-group]  ipsec-attributes
asa(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10
Avatar of jplagens

ASKER

Thanks for the input.  I've cleared out, deleted, added, readded.  One thing I did notice when I was posting earlier today was Site A was running version 7.2.1 and Site B was running 7.2.2.  Basically the tunnel would not work at all today.  This evening I upgraded Site A to version 7.2.2.  I was able to get the tunnel established and traffic moving across.  I will have to wait until the morning to see if that solved the problem or only worked temporarily.

I've had that problem before with site-to-site tunnels with PIX's running different OS's and once I got them on the same OS everything worked.  I hope this works for me.

ASKER CERTIFIED SOLUTION
Avatar of jplagens
jplagens
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial