Problem with Site-to-Site VPN. VPN tunnel is broken but can ping

Similar Questions

• VPN tunnel is up but cannot ping LAN stations

  Hello

  I'm trying to set up easy vpn server on cisco 881/k9 router.

  Using the version of cisco vpn client 5.0, I can connect to the vpn server.

  Can get the IP address of the LAN subnet on the vpn client.

  On the side of vpn, I can see the vpn session using isakmp crypto #show her

  But I can't ping from client vpn to any LAN station.

  Someone please check my setup and find out.

  This is my first time setting on the router cisco VPN.

  Building configuration...

  Current configuration: 5938 bytes
  !
  ! Last configuration change at 01:38:31 UTC Thursday, April 21, 2011 by evantage
  !
  version 15.0
  no service button
  tcp KeepAlive-component snap-in service
  a tcp-KeepAlive-quick service
  horodateurs service debug datetime localtime show-timezone msec
  Log service timestamps datetime localtime show-timezone msec
  encryption password service
  sequence numbers service
  !
  hostname FarEastP
  !
  boot-start-marker
  boot-end-marker
  !
  logging buffered 51200
  recording console critical
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login ciscocp_vpn_xauth_ml_1 local
  AAA authorization exec default local
  AAA authorization ciscocp_vpn_group_ml_1 LAN
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  iomem 10 memory size
  !
  Crypto pki trustpoint TP-self-signed-3333835941
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 3333835941
  revocation checking no
  rsakeypair TP-self-signed-3333835941
  !
  !
  TP-self-signed-3333835941 crypto pki certificate chain
  certificate self-signed 01
  30820240 308201A 9 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 33333333 38333539 6174652D 3431301E 170 3131 30343230 31363434
  30355A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 33 33333338 65642D
  33353934 3130819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  810094A 1 7C2D79CE A6BEE368 3EB0B5B7 9A2CFE42 6A 145915 E67EF01D 350558E3
  040B 6379 E6360CB3 4 D 0360DA61 184225 AAB44CA5 6BE23D05 55DAA45A 4647 5 FEB
  6F143346 6BF18824 EFC3A31F 2A48AD8D 524F2324 EB331E50 8407577F E751DFF2
  DD926D88 25 23143 11 C 66750 68267 C 61 C38B62C4 3B16E5AE AC91B2F8 ABA3546D
  02 30203 010001A 3 68306630 1 130101 FF040530 030101FF 30130603 0F060355 D
  551D 1104 08466172 45617374 50301F06 23 04183016 8014E95E 03551D 0C300A82
  66B6A8C2 CF1BD38F 684FD4DF C3854AEB ACA7301D 0603551D 0E041604 14E95E66
  B6A8C2CF 1BD38F68 4FD4DFC3 854AEBAC A7300D06 092 HAS 8648 86F70D01 01040500
  03818100 05803840 EFBF9A3B F4D64899 8E03C836 34861307 57193CC5 DA510446
  E4081D1A 2CF243BF 41AC9F36 83DAE9DB 9480F154 7CF792A5 76C1452C EEFD8661
  8443DC4C 8E507A8F B2ECCAEB CDE26E41 E477E290 79AE5D72 FD81057C B5DCE1C2
  36E0F740 65108014 A8992360 92F0423D E14F9240 1D162BC3 EFBB75A2 9E64ABC6 D76BE894
  quit smoking
  no ip source route
  !
  !
  DHCP excluded-address 192.168.1.1 IP 192.168.1.100
  DHCP excluded-address IP 192.168.1.201 192.168.1.254
  !
  dhcp pool IP CCP-pool1
  network 192.168.1.0 255.255.255.0
  domain FarEastP
  default router 192.168.1.1
  DNS-server 192.168.1.2 165.21.83.88
  !
  !
  no ip cef
  no ip domain search
  name-server IP 192.168.1.2
  name of the IP-server 165.21.83.88
  No ipv6 cef
  !
  !
  license udi pid CISCO881-K9 sn FHK142971LH
  !
  !
  username admin privilege 15 secret 5 $1$ W2eu$ lr. TpEfJuOE1iKQjFPHIT /.
  username privilege 15 secret 5 evantage P602 $1$$ 8TeJh5.SCHsY2TGd0.TnD1
  username privilege 5 secret 5 sshukla $1$ oflM$ cHZdlpLdWr.nn1UwiCEs7.
  username privilege 5 secret 5 rtandon $1$ yGAU$ BxJ6eQqG32WeI2gI4BDWh1
  sagrawal privilege 5 secret 5 username $1$ $1Kkz E6NOTt9LCXiGTarAxrc/i1
  username secret privilege 5 asarie $5 1. CVw $0ohz3WtLqU8USiMBqxIjA.
  username secret privilege 5 rbiyani 5 $1$ KkY / $02lEPCahuIpzoQcXln2yD.
  username privilege 5 secret 5 clovejoy $1$ WMbu$ t.er4RPRTnYNNwwkVGMuX.
  username privilege 5 secret 5 Lakshmi $1$ ZMC4$ Sjlcmcw2uvhzU9bwEw1Us.
  username privilege 5 secret 5 benmansour yPMa $1$$ I.q.7NW2uQo0s5FTHkxZM1
  username secret privilege 5 usha 5 $1$ bX1I$ X6X4eSSeq48k0Kq8Qt7Rn.
  username privilege 5 secret 5 aditya $1$ w2Vt$ HOz81M2UfLeni.PNUX2aJ.
  !
  !
  synwait-time of tcp IP 10
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 10
  !
  ISAKMP crypto group configuration of VPN client
  TP!zlflN\2\4go,xtP+xFapuWlKDvr#dVrS6L4TF5NJl2GXugUgv%LfQ+!drgUK key
  DNS 192.168.1.2 165.21.83.88
  fareastp field
  pool SDM_POOL_1
  ACL 101
  max - 20 users
  netmask 255.255.255.0
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  crypto dynamic-map DYNVPN 1
  game of transformation-ESP-3DES-SHA
  !
  !
  map clientmap client to authenticate crypto list ciscocp_vpn_xauth_ml_1
  card crypto clientmap isakmp authorization list ciscocp_vpn_group_ml_1
  client configuration address map clientmap crypto answer
  clientmap card crypto 65535-isakmp dynamic ipsec DYNVPN
  !
  !
  !
  !
  !
  interface Loopback0
  no ip address
  !
  interface FastEthernet0
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  !
  interface FastEthernet4
  WAN description $ ES_WAN$
  IP 119.75.60.170 255.255.255.252
  penetration of the IP stream
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  clientmap card crypto
  !
  interface Vlan1
  LAN description
  IP 116.12.248.81 255.255.255.240 secondary
  IP 192.168.1.1 255.255.255.0
  penetration of the IP stream
  IP nat inside
  IP virtual-reassembly
  !
  local IP SDM_POOL_1 192.168.1.201 pool 192.168.1.254
  local IP POOL_2 10.10.1.2 pool 10.10.1.200
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  !
  IP nat inside source static tcp 192.168.1.2 1723 1723 interface FastEthernet4
  IP nat inside source static tcp 192.168.1.4 5003 interface FastEthernet4 5003
  IP nat inside source static tcp 192.168.1.4 16000 16000 FastEthernet4 interface
  IP nat inside source static tcp 192.168.1.4 16001 interface FastEthernet4 16001
  overload of IP nat inside source list 111 interface FastEthernet4
  IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
  IP route 0.0.0.0 0.0.0.0 119.75.60.169
  !
  recording of debug trap
  access-list 101 permit ip 192.168.1.0 0.0.0.255 any
  !
  !
  !
  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  !
  control plan
  !
  !
  Line con 0
  no activation of the modem
  line to 0
  line vty 0 4
  transport input telnet ssh
  !
  max-task-time 5000 Planner
  Scheduler allocate 4000 1000
  Scheduler interval 500
  end

  The VPN pool assigned to the VPN client must be in another unique subnet as internal networks.

  Please also post all your ACL to see if NAT and crypto ACL has been set up correctly.

  Your NAT ACL must include "deny ip" above all permit declarations.

• VPN tunnel look up but no ping

  Hello

  I got a pix that had two tunnels of work will a 5510 and a single 5520. Today the tunnel VPN to our 5520 has stopped working but if I sh shout to isa its two tunnels were QM_IDLE for the State. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the side of pix.

  I'm looking for commands or something to try that might help...

  This ACL line overlaps Cryptography real ACL 'Outside_cryptomap_20 '.

  Outside_cryptomap_10 list extended access permits ip data center-Interior - 255.255.254.0 AC office network 255.255.255.0

  Please please delete above the line, then disable all tunnels so he renegotiates the SA correct.

• SA520w routing through site-to-site VPN tunnels

  I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

  A - the site 10.10.0.0/24

  Site B - 10.0.0.0/24

  Site of the C - 10.25.0.0/24

  Any help is greatly appreciated.

  So, that's what you have configured correctly?

  RTR_A

  ||

  _____________ || ___________

  ||                                            ||

  RTR_B                                RTR_C

  Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

  Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

  I hope this helps.

• Using the same set processing on several site to site VPN tunnels

  Hi all. I have a rather strange situation about site-to-site VPN tunnel.

  On the one hand, I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.

  The problem is that on the side of the PIX, I can't establish a tunnel, but when the traffic starts on the side of the ASA the tunnel established as usual.

  I checked the configurations on both ends and keys, passwords, mirror that LCD seems OK. The only thing that comes to my attention, it's that I have the same set of transformation used for 2 different tunnel on the side of PIX.

  Can I use the same set of transformation on several tunnels or should I set a different transformation for each tunnel? Could be the source of the problem?

  Use it on PIX

  card crypto set pfs group2

  Or on ASA, use:

  card crypto set pfs Group1

• SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

  Hi all.

  I really need help on this one.

  The office 1 installer running SBS2008 Office 2 running Server 2008.

  Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

  Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

  Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

  Each firm has its own DNS server and acts as a domain controller

  How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

  Is it so simple that the addition of another pool internal IP for each DNS server?

  Thanks in advance for your help.

  Hello

  Your Question is beyond the scope of this community.

  I suggest that repost you your question in the Forums of SBS.

  https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

  "Windows Small Business Server 2011 Essentials online help"

  https://msdn.Microsoft.com/en-us/library/home-client.aspx

  TechNet Server forums.

  http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

  See you soon.

• Keep Site to Site VPN Tunnel active for monitoring

  Hi all

  I have a configured site-to-site VPN tunnel only happen when the traffic generated from the remote peer. is it possible to keep the still active tunnel once after the tunnel is established.

  My requirement is to monitor VPN to see availability, so need to ping one of the natd(8) ip on the remote end, but it will come only when the traffic generated end peer.  currently the timers of default on SA is configured

  Help, please...

  Thank you

  Mikael

  TARGET_GP group policy attributes

  VPN-idle-timeout no

• Cisco vpn client to connect but can not access to the internal network

  Hi all

  I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network

  Any help would be much appreciated.

  Hi Samir,

  I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

  (The link above includes split tunneling, but this is just an option.

  Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.

  Let me know if this can help,

  See you soon,.

  Christian V

• I keep having a problem with this error message. Firefox is already running but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system. I've tried everything.

  I keep having a problem with this error message. Firefox is already running but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system. I tried everything the internet suggested but it continues to wreak havoc... Help, please... John.I cannot give other details that it has become very annoying

  See "hang out":

  • http://KB.mozillazine.org/Firefox_hangs
  • Firefox crashes or does not - how to fix

• I use LR CC on MAC OS-problem with removal of Spot, it is note all points but does not change things?

  I use LR CC on MAC OS-problem with removal of Spot, it is note all points but does not change things?

  Hi bakhytz,

  Could you please check if the opacity is set to the maximum value and feather is set to a lower value in your spotting tool parameters.

• Problems with site-to-site vpn

  Hello world

  I recently received the mission assigned to the site to site vpn configuration and this is my first time. I'm trying to set up a vpn with pix 501 but short questions site. I managed to get that below, but I'm stuck now and do not know what could be the problem. Here's the debug output.

  Any help is greatly appreciated on what could be the potential problem.

  -AK

  ISAKMP (0:0): sending of NAT - T vendor ID - rev 2 & 3
  ISAKMP (0): early changes of Main Mode
  crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:500
  Exchange OAK_MM
  ISAKMP (0): treatment ITS payload. Message ID = 0

  ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy
  ISAKMP: 3DES-CBC encryption
  ISAKMP: hash SHA
  ISAKMP: default group 2
  ISAKMP: preshared auth
  ISAKMP: type of life in seconds
  ISAKMP: duration of life (basic) of 28800
  ISAKMP (0): atts are acceptable. Next payload is 0
  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

  to return to the State is IKMP_NO_ERROR
  crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
  00
  Exchange OAK_MM
  ISAKMP (0): processing KE payload. Message ID = 0

  ISAKMP (0): processing NONCE payload. Message ID = 0

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): provider v6 code received xauth

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): addressing another box of IOS!

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): addressing a VPN3000 concentrator

  ISAKMP (0): ID payload
  next payload: 8
  type: 1
  Protocol: 17
  Port: 0
  Length: 8
  ISAKMP (0): the total payload length: 12
  to return to the State is IKMP_NO_ERROR
  crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
  00
  Exchange OAK_MM
  ISAKMP (0): processing ID payload. Message ID = 0
  ISAKMP (0): HASH payload processing. Message ID = 0
  ISAKMP (0): keep treatment alive: proposal = 32767/32767 sec., real = 3276/2 sec.

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): Peer Remote supports dead peer detection

  ISAKMP (0): SA has been authenticated.

  ISAKMP (0): start Quick Mode changes, 413131006:189fe0feIPSEC (key_e M - ID
  (Display): had an event of the queue...
  IPSec (spi_response): spi 0x3e9451fa graduation (1049907706) for SA
  from 208.249.117.203 to 70.91.20.245 for prot 3

  to return to the State is IKMP_NO_ERROR
  ISAKMP (0): send to notify INITIAL_CONTACT
  ISAKMP (0): sending message 24578 NOTIFY 1 protocol
  Peer VPN: ISAKMP: approved new addition: ip:208.249.117.203/500 Total VPN peer: 1
  Peer VPN: ISAKMP: ip:208.249.117.203/500 Ref cnt is incremented to peers: 1 Total VPN
  Peers: 1
  crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
  00
  ISAKMP (0): processing DELETE payload. Message ID = 3425658127, spi size = 16
  ISAKMP (0): delete SA: src 70.91.20.245 dst 208.249.117.203
  to return to the State is IKMP_NO_ERR_NO_TRANS
  ISADB: Reaper checking HIS 0xac149c, id_conn = 0 DELETE IT!

  Peer VPN: ISAKMP: ip:208.249.117.203/500 Ref cnt decremented to peers: 0 Total VPN
  Peers: 1
  Peer VPN: ISAKMP: deleted peer: ip:208.249.117.203/500 VPN peer Total: 0IPSEC (ke
  y_engine): got an event from the queue.
  IPSec (key_engine_delete_sas): rec would remove the ISAKMP notify
  IPSec (key_engine_delete_sas): remove all SAs shared with 208.249.117.203
  IPSec (key_engine): request timer shot: count = 2,.
  local (identity) = 70.91.20.245, distance = 208.249.117.203.
  local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
  remote_proxy = 206.200.22.0/255.255.255.0/0/0 (type = 4)

  Hello

  Newspapers, I see you are using a VPN 3000 Concentrator as the remote vpn end point. Now, also of the debugs next section is interesting:

  local (identity) = 70.91.20.245, distance = 208.249.117.203.
  local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
  remote_proxy = 206.200.22.0/255.255.255.0/0/0 (type = 4)

  -Looks like our traffic interesting PIX and the hub are not mirrors of each other, and does not. Can you please paste the PIX here cryptographic access lists, so that I can analyze the entries.

  -Also, please make sure that you have followed all the steps during the vpn configuration according to the following links:

  If your PIX is running at version 7.x and more: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml

  If your PIX is running version 6.3.x: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

  Once you check the config on PIX and concentrator, please provide me with the output of "sh cry isa his" and "sh cry ipsec his ' of the PIX. With this release, we can continue to troubleshoot if there is more questions.

  Let me know if this can help,

  See you soon,.

  Christian V

• Problems with site-to-site vpn with of the asa 2

  I tried different ways so that this works, but failed. After 8 hours, I literally have a bad headache and have to step away for a minute.  I realize I need to ping between the tunnels mentioned, but still can not to. can someone take a look and tell me where I have gone wrong?  Im trying to configure a site to site vpn between:

  ASA_A

  external interface 5.179.17.66

  inside the interface 10.1.1.1

  ASA B

  external interface 5.81.57.19

  inside the 10.1.2.1 interface

  Frist why do you have two DGs on box -

  Route outside 0.0.0.0 0.0.0.0 5.179.121.65 1

  Route outside 0.0.0.0 0.0.0.0 5.179.17.65 1

  Attach the two end then it should work.

  Thank you

  Ajay

• Unable to pass traffic between ASA Site to Site VPN Tunnel

  Hello

  I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

  I've also attached the ASA5505 config and the ASA5510.

  This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

  Thank you

  Adam

  Hello

  Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

   access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 

  Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

  So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

  I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

  THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

  -Jouni

• Site to Site VPN tunnel between two ASA

  I use the Site Wizard to Site on an ASA 5520, and ASA 5505 of the ADSM. Both are using 8.4 (5). When you create configurations. You follow the wizard configurations with manual what ACL s to allow the traffic of every subnet connected to talk to each other? Or they are automatically generated in the configuration file? Have not been to school yet to understand how to create the CLI VPN tunnels and what to look for.

  Thank you

  Carlos

  Hello

  First, I would like to say that I don't personally use ASDM for the configuration.

  But you should be able to configure all the necessary elements for a connection VPN L2L base through the wizard.

  I guess that typical problems to do so could relate to the lack of configuration NAT exempt or might not choose the setting "Bypass Interface Access List" that would mean you would allow traffic from the remote site in the 'external' ACL of ASA local interface. Like all other traffic coming from behind the 'outer' interface

  If you share format CLI configurations and say what networks must be able to connect via VPN L2L then I could give the required CLI format configurations.

  -Jouni

• disconnecting from site-to-site vpn tunnel

  Dear Cisco

  I use the Cisco ASA 5505 5 builed VPN site to site.

  B, C, D, E of the site all site-to-site VPN A with only IPSEC IKEv2 configurartion site.

  Reading the Site an ASDM.  Monitoring VPN can always read all four sites are connected.  But I found that Site D and E during connection reset periodically with a few hours.

  (1) I would like to know the connection during the reset time is normal or not?

  (2) any installation or configuration can refine the site to site VPN.  Make VPN tunnel more stable?

  (3) any menthod can monitor VPN site-to-site is health or not?

  Thank you very much for your help

  Alan.

  A. in general, the time is set to 86400 for expiration. It can also be defined by the amount of traffic

  (B) Yes. Try turning on KeepAlive IKE

  C. check the logs is as far as I know of

  This is a good doc on VPN

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml