vpn tunnel issue

I have a tunnel with customer. I don't know any details on their end. We started experiencing connectivity issues. The tunnel would drop at least once to twice a month. After resetting the tunnel on my end, the traffic comes back up almost right away. I am not sure what to look for at this point nor do I know if this is something on my end or theirs. I'm using 5520/ I have over 70 tunnels in this device and none are experiencing those issues but this one. All tunnels are configured identically.

Is there anything I can do to pin-point the cause? how could I troubleshoot this ?
Shark AttackNetwork adminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Sometimes renegotiation of Phase 2 (IPSec) SAs after their lifetime has exceeded does not work properly between different devices, e.g. because one device ignores the shorter lifetime of the other one, keeping the session in a half-valid state. So that would be the first thing to check - which lifetimes are exchanged, and which ones are used eventually?
Shark AttackNetwork adminAuthor Commented:
could could I check that?
Shark AttackNetwork adminAuthor Commented:
how could i check what lifetimes im using? for this specific tunnel?

would it be this?
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This is what you set up. The other site's data should be visible if you display the SA properties (no, don't know the command).
To show IKE SA information:
show crypto isakmp peer <ip-addr>
To show IPSec SA information:
show crypto ipsec sa [ address | detail | interface | map | per | vrf ]

Show IKE and IPSec information together :
Show crypto session  [ fvrf | group | ivrf ] username | detail ]
Show crypto engine connection active

There is also conditional debugging...
# debug crypto condition ?
Shark AttackNetwork adminAuthor Commented:
we have identical timers. I checked with them.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Then you'll have to wait until it happens again, and then check the SAs again, to make sure they are in sync.
Any chance the other side is idling out the tunnel, trying to renegotiate, and doing it wrong? In that case establishing the tunnel from the remote site should never work, only if initiated from your site.
Shark AttackNetwork adminAuthor Commented:
i will ask thanks
Shark AttackNetwork adminAuthor Commented:
also, he is telling me that the tunnel does not go down on his end. From what I can remember, phase 1 is up on my end but 2 is not
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
That is possible, and points towards either a close-on-idle or a failing renegotiation. A simple ping to the other site in that situation has to lead to an immediate reconnect on Phase 2, and allows to switch on debugging for that period. That would help in regard of reconnecting.
To find the reason why the P2 connection is terminated requires to debug for a longer period, to catch the point in time this happens.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.