Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA 5505 Site-tp-Site VPN stops passing traffic

Posted on 2015-02-12
5
Medium Priority
?
674 Views
Last Modified: 2015-05-11
Hi there,
Have two Cisco 5505's - both running version 8.2(1). We have a site to site VPN between them and it works fine. However, the traffic stops passing over the tunnel. The tunnels stay up, but no traffic is passing. I have made sure that the following has been set:
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 2147483647


The lifetime keys runs out before the above data limit is hit as not a huge amount of data passes over the VPN Tunnel
Yesterday for example, I established the tunnels at 8:30am in the morning. By using ping plotter, I could see that the tunnel had dropped at around 5:15am this morning for some reason. This was shown also with the IPsec  Session details showing that 12000 secs of the Rekey Left had passed  (checked at around 8:30 today, so 12000secs equals roughly 3 1/4 hours)
Not traffic was passing over the tunnel. Under VPN statistics, it was still showing that the tunnel had been up for about 23 odd hours.
I don't want to upgrade to 8.4, as one of the ASAs has a huge config.

Any thoughts on this?
ASA-VPN.jpg
0
Comment
Question by:greentriangle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 40607195
Any pattern when traffic stops? Is this actually affecting production traffic?
0
 

Author Comment

by:greentriangle
ID: 40607287
No pattern for when it stops. Internet traffic is still passing. It is causing issues a bit, due to replicationbetween sites (ie DNS, and some SQl backups - minimal in size however)
0
 
LVL 6

Expert Comment

by:Matt
ID: 40607431
I have this on HQ ASA 5510:

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

And IPSEC VPN Site-2-Site Works OK with remote offices, using ASA 5505.

But try to upgrade to ASA 8.2(5) - the latest interim release is 8.2.5-(55). There is no change in config - still "old" NAT :)
0
 

Author Comment

by:greentriangle
ID: 40613026
Morning,

I have upgraded both devices to 8.2 (5)33 but the issue still exists. Traffic stops passing. Thoughts?
0
 
LVL 6

Accepted Solution

by:
Matt earned 1500 total points
ID: 40613627
Do you have this in your config?

tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question