Solved

Cisco ASA 5505 Site-tp-Site VPN stops passing traffic

Posted on 2015-02-12
5
606 Views
Last Modified: 2015-05-11
Hi there,
Have two Cisco 5505's - both running version 8.2(1). We have a site to site VPN between them and it works fine. However, the traffic stops passing over the tunnel. The tunnels stay up, but no traffic is passing. I have made sure that the following has been set:
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 2147483647


The lifetime keys runs out before the above data limit is hit as not a huge amount of data passes over the VPN Tunnel
Yesterday for example, I established the tunnels at 8:30am in the morning. By using ping plotter, I could see that the tunnel had dropped at around 5:15am this morning for some reason. This was shown also with the IPsec  Session details showing that 12000 secs of the Rekey Left had passed  (checked at around 8:30 today, so 12000secs equals roughly 3 1/4 hours)
Not traffic was passing over the tunnel. Under VPN statistics, it was still showing that the tunnel had been up for about 23 odd hours.
I don't want to upgrade to 8.4, as one of the ASAs has a huge config.

Any thoughts on this?
ASA-VPN.jpg
0
Comment
Question by:greentriangle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 40607195
Any pattern when traffic stops? Is this actually affecting production traffic?
0
 

Author Comment

by:greentriangle
ID: 40607287
No pattern for when it stops. Internet traffic is still passing. It is causing issues a bit, due to replicationbetween sites (ie DNS, and some SQl backups - minimal in size however)
0
 
LVL 6

Expert Comment

by:Matt
ID: 40607431
I have this on HQ ASA 5510:

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

And IPSEC VPN Site-2-Site Works OK with remote offices, using ASA 5505.

But try to upgrade to ASA 8.2(5) - the latest interim release is 8.2.5-(55). There is no change in config - still "old" NAT :)
0
 

Author Comment

by:greentriangle
ID: 40613026
Morning,

I have upgraded both devices to 8.2 (5)33 but the issue still exists. Traffic stops passing. Thoughts?
0
 
LVL 6

Accepted Solution

by:
Matt earned 500 total points
ID: 40613627
Do you have this in your config?

tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question