Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco ASA 5505 Site-tp-Site VPN stops passing traffic

Posted on 2015-02-12
5
Medium Priority
?
742 Views
Last Modified: 2015-05-11
Hi there,
Have two Cisco 5505's - both running version 8.2(1). We have a site to site VPN between them and it works fine. However, the traffic stops passing over the tunnel. The tunnels stay up, but no traffic is passing. I have made sure that the following has been set:
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 2147483647


The lifetime keys runs out before the above data limit is hit as not a huge amount of data passes over the VPN Tunnel
Yesterday for example, I established the tunnels at 8:30am in the morning. By using ping plotter, I could see that the tunnel had dropped at around 5:15am this morning for some reason. This was shown also with the IPsec  Session details showing that 12000 secs of the Rekey Left had passed  (checked at around 8:30 today, so 12000secs equals roughly 3 1/4 hours)
Not traffic was passing over the tunnel. Under VPN statistics, it was still showing that the tunnel had been up for about 23 odd hours.
I don't want to upgrade to 8.4, as one of the ASAs has a huge config.

Any thoughts on this?
ASA-VPN.jpg
0
Comment
Question by:greentriangle
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 40607195
Any pattern when traffic stops? Is this actually affecting production traffic?
0
 

Author Comment

by:greentriangle
ID: 40607287
No pattern for when it stops. Internet traffic is still passing. It is causing issues a bit, due to replicationbetween sites (ie DNS, and some SQl backups - minimal in size however)
0
 
LVL 6

Expert Comment

by:Matt
ID: 40607431
I have this on HQ ASA 5510:

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

And IPSEC VPN Site-2-Site Works OK with remote offices, using ASA 5505.

But try to upgrade to ASA 8.2(5) - the latest interim release is 8.2.5-(55). There is no change in config - still "old" NAT :)
0
 

Author Comment

by:greentriangle
ID: 40613026
Morning,

I have upgraded both devices to 8.2 (5)33 but the issue still exists. Traffic stops passing. Thoughts?
0
 
LVL 6

Accepted Solution

by:
Matt earned 1500 total points
ID: 40613627
Do you have this in your config?

tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question