IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Hi, We are facing a major issue of VPN tunnel going down very often. I have 7 Site-2-Site VPN connectivity, this works fine for some days and suddently VPN tunnel goes down intermettenly for one or few locations and i need to clear isakmp sa for that speicific tunnel to come up. When tunnel goes down the vpn phase 1 status..... 6 IKE Peer: 18.104.22.168 Type : L2L Role : initiator Rekey : yes State : MM_ACTIVE_REKEY7 IKE Peer: 22.214.171.124 Type : L2L Role : responder Rekey : no State : MM_REKEY_DONE_H2 After clearing phase 1 for specific tunnel the VPN tunnel come up. 7 IKE Peer: 126.96.36.199 Type : L2L Role : responder Rekey : no State : MM_ACTIVE CINBLR01-SQDR-FIREWALL-00002# sh version Cisco Adaptive Security Appliance Software Version 8.04Device Manager Version 6.1(5) Compiled on Thu 07-Aug-08 20:53 by buildersSystem image file is "disk0:/asa804-k8.bin"Config file at boot was "startup-config" CINBLR01-SQDR-FIREWALL-00002 up 1 day 17 hours Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHzInternal ATA Compact Flash, 256MBBIOS Flash M50FW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05 0: Ext: Ethernet0/0 : address is 001b.0c38.d232, irq 9 1: Ext: Ethernet0/1 : address is 001b.0c38.d233, irq 9 2: Ext: Ethernet0/2 : address is 001b.0c38.d234, irq 9 3: Ext: Ethernet0/3 : address is 001b.0c38.d235, irq 9 4: Ext: Management0/0 : address is 001b.0c38.d231, irq 11 5: Int: Not used : irq 11 6: Int: Not used : irq 5 Licensed features for this platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 100Inside Hosts : UnlimitedFailover : Active/ActiveVPN-DES : EnabledVPN-3DES-AES : EnabledSecurity Contexts : 2GTP/GPRS : DisabledVPN Peers : 250WebVPN Peers : 2AnyConnect for Mobile : DisabledAnyConnect for Linksys phone : DisabledAdvanced Endpoint Assessment : DisabledUC Proxy Sessions : 2 This platform has an ASA 5510 Security Plus license. Please suggest a permanent fix to this... Regards,Narendra
Hi, Looks like you have pfs enabled in the tunnel configuration. Please remove the pfs configuration. Regards,Anisha P.S.: please mark this post as answered if you feel your query is answered. Do rate helpful posts.
Hi Anisha DamaniYes, the moment we removed PFS in both the box’s the VPN tunnel is up. But after some instance we again notice the vpn tunnel goes down intermittently. Pls help us in details what would be cause and how PFS is correlated with this issue.
Hi, From the original post i see that there was rekey that is happening. it happens because of the PFS. PFS ensures that each new cryptographic key is unrelated to any previous key details of the command are:http://www.cisco.com/en/US/docs/securit ... #wp1881397 Hope this helps. Regards,Anisha -Do rate helpful posts.
Thx for the update and appreciate your support on this.. Hope this will resolve my VPN issue & let me not revert on VPN going down once again thx...