Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 5505 Site-tp-Site VPN stops passing traffic

Posted on 2015-02-12
5
Medium Priority
?
712 Views
Last Modified: 2015-05-11
Hi there,
Have two Cisco 5505's - both running version 8.2(1). We have a site to site VPN between them and it works fine. However, the traffic stops passing over the tunnel. The tunnels stay up, but no traffic is passing. I have made sure that the following has been set:
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 2147483647


The lifetime keys runs out before the above data limit is hit as not a huge amount of data passes over the VPN Tunnel
Yesterday for example, I established the tunnels at 8:30am in the morning. By using ping plotter, I could see that the tunnel had dropped at around 5:15am this morning for some reason. This was shown also with the IPsec  Session details showing that 12000 secs of the Rekey Left had passed  (checked at around 8:30 today, so 12000secs equals roughly 3 1/4 hours)
Not traffic was passing over the tunnel. Under VPN statistics, it was still showing that the tunnel had been up for about 23 odd hours.
I don't want to upgrade to 8.4, as one of the ASAs has a huge config.

Any thoughts on this?
ASA-VPN.jpg
0
Comment
Question by:greentriangle
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 40607195
Any pattern when traffic stops? Is this actually affecting production traffic?
0
 

Author Comment

by:greentriangle
ID: 40607287
No pattern for when it stops. Internet traffic is still passing. It is causing issues a bit, due to replicationbetween sites (ie DNS, and some SQl backups - minimal in size however)
0
 
LVL 6

Expert Comment

by:Matt
ID: 40607431
I have this on HQ ASA 5510:

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

And IPSEC VPN Site-2-Site Works OK with remote offices, using ASA 5505.

But try to upgrade to ASA 8.2(5) - the latest interim release is 8.2.5-(55). There is no change in config - still "old" NAT :)
0
 

Author Comment

by:greentriangle
ID: 40613026
Morning,

I have upgraded both devices to 8.2 (5)33 but the issue still exists. Traffic stops passing. Thoughts?
0
 
LVL 6

Accepted Solution

by:
Matt earned 1500 total points
ID: 40613627
Do you have this in your config?

tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question