[c-nsp] ASA 5520 to Pix sudden loss of tunnel

Eric Girard egirard at focustsi.com
Thu Mar 10 08:49:45 EST 2011 

Scott,
    If there were no changes on the ASA, I check to make sure that the routing behind the ASA is still bringing the return traffic back to the VPN device.  I always check routing and NAT when I have one way traffic, and if the firewalls didn't change, I'd look at the routing.

Eric

Sent from my HTC smartphone

-----Original Message-----
From: Scott Granados <scott at granados-llc.net>
Sent: Thursday, March 10, 2011 12:17 AM
To: cisco-nsp <cisco-nsp at puck.nether.net>
Subject: [c-nsp] ASA 5520 to Pix sudden loss of tunnel


Hi, I'm having an odd problem and wonder if anyone has some pointers.  I looked for the Cisco IPSEC solutions document but the things suggested didn't work. (this VPN document covered both IOS and security appliances)

BACKGROUND

I have two devices a Pix running the 7.x code base in the field and a pair of ASA 5520 devices running 8.2.2.  The 5520 pair is set up in an active passive arrangement.

For the most part, the tunnels form fine and the traffic passes but I have 1 /16 that is not forming.  It did and was working fine until it randomly stopped passing traffic.  I confirmed the ASA5520 pair can ping and reach the target device in the /16 that's being shared and I also confirm that syslog outputs building and taredown messages so it appears to be hearing traffic from the Pix.  i also show when I execute a show ipsec sa detail that the counters for crypt and decrypt show that the pix is sending packets but not increasing on the receving and decrypting and the ASA shows a mirror image.  I have other subnets on the same device working correctly and traffic passes cleanly.  As I also mentioned traffic was passing over this tunnel earlier today and suddenly just stopped.  I tried a clear ipsec sa and clear isakmp sa on both devices and it made no difference.  What other things should I check?  Any ideas where I should investigate next?

I'm using a normal L2L setup with standard crypto maps on both ends and pretty garden variety boiler plate configs, simple source and destination ACLs.

Any help would be appreciated.

Thanks
Scott


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list