[c-nsp] ASA 5520 to Pix sudden loss of tunnel

Thu Mar 10 14:31:09 EST 2011

NP.  While you're upgrading, check to see if you're affected and think about upgrading to  asa824-4-k8.bin/asa824-1-k8.bin.

http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6e14d.shtml

-ryan

-----Original Message-----
From: Scott Granados [mailto:scott at granados-llc.net] 
Sent: Thursday, March 10, 2011 2:25 PM
To: Ryan West
Cc: cisco-nsp
Subject: Re: [c-nsp] ASA 5520 to Pix sudden loss of tunnel

Hi, thanks as always for the great response.

This is more or less what I was running in to.  I rebooted the Pix with no luck but when I restarted the ASA pair all began to function.

I have some ASA hardware on the way to replac the pixes, I just need to make this hold together for a few more weeks.

Thanks for the pointers!

On Mar 10, 2011, at 6:32 AM, Ryan West wrote:

> Scott,
> 
>> 
>> I have two devices a Pix running the 7.x code base in the field and a pair of ASA 5520 devices running 8.2.2.  
>> The 5520 pair is set up in an active passive arrangement.
> 
> Which version of 7.x are you running.  7.2.4 below interim 33 was very buggy with VPNs.  They stop for no reason and removing the crypto map completely and re-applying it does not fix it.   Try the following if you don't plan to upgrade soon:
> 
> Enable logging class vpn monitor debugging, clear isakmp sa on both sides.  The receiver of the tunnel is going to have the most useful debugs and if you don't have access to the devices on either side, use packet-tracer to simulate interesting traffic.  Try initiating from both sides, if you still aren't getting anywhere, remove and add back the crypto map from the outside interface.   Debug cry isa 255 and debug cry ipsec 255 should also help.  Beyond that, a reboot will clear up the 7.2.4 bug.
> 
> -ryan
> 