[c-nsp] ASA 5520 to Pix sudden loss of tunnel
Ryan West
rwest at zyedge.com
Thu Mar 10 09:32:34 EST 2011
Scott,
>
>I have two devices a Pix running the 7.x code base in the field and a pair of ASA 5520 devices running 8.2.2.
>The 5520 pair is set up in an active passive arrangement.
Which version of 7.x are you running. 7.2.4 below interim 33 was very buggy with VPNs. They stop for no reason and removing the crypto map completely and re-applying it does not fix it. Try the following if you don't plan to upgrade soon:
Enable logging class vpn monitor debugging, clear isakmp sa on both sides. The receiver of the tunnel is going to have the most useful debugs and if you don't have access to the devices on either side, use packet-tracer to simulate interesting traffic. Try initiating from both sides, if you still aren't getting anywhere, remove and add back the crypto map from the outside interface. Debug cry isa 255 and debug cry ipsec 255 should also help. Beyond that, a reboot will clear up the 7.2.4 bug.
-ryan
More information about the cisco-nsp
mailing list