[c-nsp] ASA 5520 to Pix sudden loss of tunnel
Scott Granados
scott at granados-llc.net
Thu Mar 10 00:11:51 EST 2011
Hi, I'm having an odd problem and wonder if anyone has some pointers. I looked for the Cisco IPSEC solutions document but the things suggested didn't work. (this VPN document covered both IOS and security appliances)
BACKGROUND
I have two devices a Pix running the 7.x code base in the field and a pair of ASA 5520 devices running 8.2.2. The 5520 pair is set up in an active passive arrangement.
For the most part, the tunnels form fine and the traffic passes but I have 1 /16 that is not forming. It did and was working fine until it randomly stopped passing traffic. I confirmed the ASA5520 pair can ping and reach the target device in the /16 that's being shared and I also confirm that syslog outputs building and taredown messages so it appears to be hearing traffic from the Pix. i also show when I execute a show ipsec sa detail that the counters for crypt and decrypt show that the pix is sending packets but not increasing on the receving and decrypting and the ASA shows a mirror image. I have other subnets on the same device working correctly and traffic passes cleanly. As I also mentioned traffic was passing over this tunnel earlier today and suddenly just stopped. I tried a clear ipsec sa and clear isakmp sa on both devices and it made no difference. What other things should I check? Any ideas where I should investigate next?
I'm using a normal L2L setup with standard crypto maps on both ends and pretty garden variety boiler plate configs, simple source and destination ACLs.
Any help would be appreciated.
Thanks
Scott
More information about the cisco-nsp
mailing list