Cisco ASA VPN tunnel not working after modem reset

Hi all,

We have a problem with a site-to-site VPN tunnel between 2 Cisco ASA 5505's.
Site 1:
Datacenter
Cisco ASA has a public IP address on the outside interface provided by the datacenter ISP.

Site 2:
Customer office
Cisco ASA connects to the internet via PPPoE via a DSL modem in bridge modem.
The ASA has a public IP on the outside interface.

Lately, the DSL line is not really steady. When the DSL line crashes, the customer resets the modem and the line comes up fine again. The modem is not the problem, it is already replaced.

However, while internet/DSL comes up fine, the site-to-site VPN does not. A tunnel is created, but the ASDM states that there are a lot of bytes TX, but to bytes RX. That means somehow the tunnel is set up but no traffic is received. The ASA on the other site reports the same.

When we manually logout the VPN tunnel via the ASDM, automatically a new tunnel is created by the ASA and from there on it works fine.

What could be the problem? We don't want to have to reset the VPN manually everytime the modem is reset.
engineerNLAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
>>lot of bytes TX, but to bytes RX. That means somehow the tunnel is set up but no traffic is received. The ASA on the other site reports the same.

This makes no sense - that cant both be incrementing TX but not RX? Are you sure its not the OPPOSITE way round? If so my technical brain says the problem is a the main site?

Has PFS been enables/disabled on both ends (i.e is one end on and one end off)
Can the main site - route to the DSL site (are there any conflicting route entries on that subnet)
Are both the ASA's running the newest code(yes its a cliche, but one end might have a bug (and its the first thing that TAC would ask!).

You say the tunnel does not come up, does it come up at phase1? as you mentioned TX and RX Im assuming so?

Regards,

Pete
0
engineerNLAuthor Commented:
Hi Petelong,

Both ASA's are running on version 8.4.1. Upgrade is not possible since the customer has no smartnet contract.
In my opinion it is perfectly possible that both's ASA have bytes TX but ro RX. The both send, but don't receive. That could be possible since something is wrong.

When I run the command "show crypto isakmp" in the command line, I see that one of the ASA's has "In-Negotiation SAs:0" and the other one says 5. Can that have something to do with the problem?

PFS is on, both are set to option 5. We also tried disabling PFS, same problem.

When we reload the ASA's there is no problem, the tunnel comes up fine again. When we reset the modem, this problem occurs.
0
Pete LongTechnical ConsultantCommented:
>>in my opinion it is perfectly possible that both's ASA have bytes TX but ro RX

Yes but only if a device in-between the two IPSEC peers was blocking IPSEC (UDP 500 and or protocol 50)
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

anoopkmrCommented:
just confirm   DPD is enabled  on both side .. DPD is enabled by default on ASA for both L2L and RA IPSec:
https://supportforums.cisco.com/document/32546/dead-peer-detection
0
engineerNLAuthor Commented:
ASA was broken. We replaced it, uploaded same config and it worked again.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
engineerNLAuthor Commented:
Replacing ASA was the solution. I guess hardware failure
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.