Solved

Cisco ASA 5505 Site-tp-Site VPN stops passing traffic

Posted on 2015-02-12
5
535 Views
Last Modified: 2015-05-11
Hi there,
Have two Cisco 5505's - both running version 8.2(1). We have a site to site VPN between them and it works fine. However, the traffic stops passing over the tunnel. The tunnels stay up, but no traffic is passing. I have made sure that the following has been set:
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 2147483647


The lifetime keys runs out before the above data limit is hit as not a huge amount of data passes over the VPN Tunnel
Yesterday for example, I established the tunnels at 8:30am in the morning. By using ping plotter, I could see that the tunnel had dropped at around 5:15am this morning for some reason. This was shown also with the IPsec  Session details showing that 12000 secs of the Rekey Left had passed  (checked at around 8:30 today, so 12000secs equals roughly 3 1/4 hours)
Not traffic was passing over the tunnel. Under VPN statistics, it was still showing that the tunnel had been up for about 23 odd hours.
I don't want to upgrade to 8.4, as one of the ASAs has a huge config.

Any thoughts on this?
ASA-VPN.jpg
0
Comment
Question by:greentriangle
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 40607195
Any pattern when traffic stops? Is this actually affecting production traffic?
0
 

Author Comment

by:greentriangle
ID: 40607287
No pattern for when it stops. Internet traffic is still passing. It is causing issues a bit, due to replicationbetween sites (ie DNS, and some SQl backups - minimal in size however)
0
 
LVL 6

Expert Comment

by:Matt
ID: 40607431
I have this on HQ ASA 5510:

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

And IPSEC VPN Site-2-Site Works OK with remote offices, using ASA 5505.

But try to upgrade to ASA 8.2(5) - the latest interim release is 8.2.5-(55). There is no change in config - still "old" NAT :)
0
 

Author Comment

by:greentriangle
ID: 40613026
Morning,

I have upgraded both devices to 8.2 (5)33 but the issue still exists. Traffic stops passing. Thoughts?
0
 
LVL 6

Accepted Solution

by:
Matt earned 500 total points
ID: 40613627
Do you have this in your config?

tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now