[c-nsp] ASA 5520 to Pix sudden loss of tunnel

Scott Granados scott at granados-llc.net
Thu Mar 10 14:24:04 EST 2011 

Eric, I can confirm the routing is good because other similarly configured devices on the same ASA can reach the problem network.

I reset both ASA members in the pair and everything works now.  I'm thinking some sort of resource usage bug or exactly what I read in another message, interactions between old broken pixes and the ASA.

Thanks
Scott

On Mar 10, 2011, at 5:49 AM, Eric Girard wrote:

> Scott,
>    If there were no changes on the ASA, I check to make sure that the routing behind the ASA is still bringing the return traffic back to the VPN device.  I always check routing and NAT when I have one way traffic, and if the firewalls didn't change, I'd look at the routing.
> 
> Eric
> 
> Sent from my HTC smartphone
> 
> -----Original Message-----
> From: Scott Granados <scott at granados-llc.net>
> Sent: Thursday, March 10, 2011 12:17 AM
> To: cisco-nsp <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] ASA 5520 to Pix sudden loss of tunnel
> 
> 
> Hi, I'm having an odd problem and wonder if anyone has some pointers.  I looked for the Cisco IPSEC solutions document but the things suggested didn't work. (this VPN document covered both IOS and security appliances)
> 
> BACKGROUND
> 
> I have two devices a Pix running the 7.x code base in the field and a pair of ASA 5520 devices running 8.2.2.  The 5520 pair is set up in an active passive arrangement.
> 
> For the most part, the tunnels form fine and the traffic passes but I have 1 /16 that is not forming.  It did and was working fine until it randomly stopped passing traffic.  I confirmed the ASA5520 pair can ping and reach the target device in the /16 that's being shared and I also confirm that syslog outputs building and taredown messages so it appears to be hearing traffic from the Pix.  i also show when I execute a show ipsec sa detail that the counters for crypt and decrypt show that the pix is sending packets but not increasing on the receving and decrypting and the ASA shows a mirror image.  I have other subnets on the same device working correctly and traffic passes cleanly.  As I also mentioned traffic was passing over this tunnel earlier today and suddenly just stopped.  I tried a clear ipsec sa and clear isakmp sa on both devices and it made no difference.  What other things should I check?  Any ideas where I should investigate next?
> 
> I'm using a normal L2L setup with standard crypto maps on both ends and pretty garden variety boiler plate configs, simple source and destination ACLs.
> 
> Any help would be appreciated.
> 
> Thanks
> Scott
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list