[Openswan Users] Site-to-site with Cisco ASA5500 tunnel stops passing traffic
Tuomo Soini
tis at foobar.fi
Thu Apr 26 14:17:40 EDT 2012
On Tue, 24 Apr 2012 01:33:15 -0700
Christopher Opena <counterveil at gmail.com> wrote:
> Hello folks,
>
> First post here and have to say I'm loving Openswan so far! I've
> successfully connected with a Juniper box followed by a Cisco ASA 5500
> (vendor operated), both of which were fairly seamless affairs.
>
> I'm running into some issues with the Cisco ASA 5500 though, and
> unfortunately don't have access to it to watch the logs. From my own
> research I have gathered that:
>
> - tcpdumps from a host on the vendor side of constant ICMP traffic
> shows that traffic is halted at 03:46AM (see logs below)
> - on my side, ipsec auto --status and /etc/init.d/ipsec status shows
> that the tunnels are up
That can happen if there is network problem between remote and your
sites. If cisco admin has enabled dpd it does recognize this and try to
renegotiate tunnel - but if you don't enable dpd your tunnel seem to be
"up" while actually other end has already dropped the tunnel and then
try to renegotiate it.
I'd try to enable dpd.
dpddelay=60
dpdtimeout=240
dpdaction=hold
- try with these...
Another thing is that this conn is aggressive mode - if this is static
tunnel it could be configured with main mode which is much more used
and so more stable than aggressive mode.
Aggressive mode is not needed for static lan to lan tunnels.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Users
mailing list