4 Replies Latest reply: May 17, 2019 9:00 PM by Micheal RSS

    ASA 5505

    Micheal

      Hi Guys !

      Greeting

       

      i have an ASA firewall 5505 in our remote site with IPSec tunnel configured inside but these days it gives a time for a 5 to 10 second daily for two three timse then get back to normal.

      what is the problem with it? is it belong to hardware issue or tuneel issue as i have errased the flash and upload the IOS again and activated but still daily gives time out for a 5 to 10 second three to five times a day or maybe more.

       

      thanks,

         
        • 1. Re: ASA 5505
          Juergen Ilse CCNA R&S

          It sounds like it may be a tunnel issue ... When my DSL line at home has a short issue, i also see the VPN tunnel flapping, and sometimes longer than the DSL flapping ... I configured an IKEv2 tunnel with one dynamic endpoint (at home) and one endpoint with static address (at work) both terminating on a Cisco ASA (firmware 9.9.2 interims version) on both sides of the tunnel (5506-X on "dynamic side" and 5515-X on "static side").

          • 2. Re: ASA 5505
            Micheal

            dear juergen !

            thanks for reply appreciate it both side lan one side 5585 with 100 of object groups and remotes sites all with 5505 ASA both side is static:

             

            !

            crypto ipsec ikev1 transform-set ESP-AES-256 esp-aes-256 esp-md5-hmac

            crypto ipsec security-association pmtu-aging infinite

            crypto map ESP-AES-256 5 match address Lan-site

            crypto map ESP-AES-256 5 set peer 10.0.0.1

            crypto map ESP-AES-256 5 set ikev1 transform-set ESP-AES-256

            crypto map ESP-AES-256 interface outside

            crypto ca trustpool policy

            crypto ikev1 enable outside

            crypto ikev1 policy 5

            authentication pre-share

            encryption aes-256

            hash md5

            group 2

            lifetime 86400

            • 3. Re: ASA 5505
              M0ng00se - CCIE Security

              Is the tunnel itself being torn down? Re-establishing the tunnel could cause a lag like this.

               

              Can you provide the output of a ''show asp drop''?

              • 4. Re: ASA 5505
                Micheal

                thanks to reply M0ng00se !

                no when the time out start fro a 10 second the tunnel is stable encrypting and both ASA interface WAN and Lan site is pingable but it does not pass the traffic toward the router then all the remote site shows down and can't log in to router but ASA it is now bypassed on router it think it have hardware issue but looking for any new experience that i may be wrong.

                 

                thanks,