Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
Troubleshooting
Research
Professional Opinions
Ask a QuestionDid You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE
troubleshooting Question
ASA 5505 site to site tunnel disconnects and won't recreate or pass traffic
asked on
I am having strange issues with a couple of ASA 5505's. I have a site to site tunnel connecting two ASA 5505s. At first the tunnel will come up and pass traffic for a short period of time then quit if someone is not actively on it. Once the tunnel breaks you can ping across and the tunnel will come back up but it will not pass traffic. I have to completely strip out the VPN config and put it back in for traffic to pass again.
It seems to be getting worse. Now if Site A pings first it will establish the tunnel (MM_ACTIVE) but no traffic will pass. If Site B pings first it will not bring up the tunnel at all. I get MM_WAIT_MSG4. Which is basically saying it's waiting on Site A to send the keys from my understanding.
I have poured over this website and the web trying to figure out what is going on, but no luck so far. I desperately need some help with this. I'm not seeing how it worked briefly with this config and now it won't do anything. Nothing has been changed on either end of the tunnels.
If Site A pings first:
SiteA:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 71.xxx.xxx.233
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
SiteB:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 66.xxx.xxx.18
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Traffic will not pass.
If Site B pings first:
Site B:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 66.xxx.xxx.18
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG4
SiteA:
Nothing
SiteA.txt
SiteB.txt
It seems to be getting worse. Now if Site A pings first it will establish the tunnel (MM_ACTIVE) but no traffic will pass. If Site B pings first it will not bring up the tunnel at all. I get MM_WAIT_MSG4. Which is basically saying it's waiting on Site A to send the keys from my understanding.
I have poured over this website and the web trying to figure out what is going on, but no luck so far. I desperately need some help with this. I'm not seeing how it worked briefly with this config and now it won't do anything. Nothing has been changed on either end of the tunnels.
If Site A pings first:
SiteA:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 71.xxx.xxx.233
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
SiteB:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 66.xxx.xxx.18
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Traffic will not pass.
If Site B pings first:
Site B:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 66.xxx.xxx.18
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG4
SiteA:
Nothing
SiteA.txt
SiteB.txt
Our community of experts have been thoroughly vetted for their expertise and industry experience.