Home
Certification Preparation
Cisco
CCNP
CCNP Security
ASAs and crypto expiration
SteveThing
Hello,
This isn't a lab problem, but a real-world issue. I've got three ASA 5520s where one is the central peer (Hub) and the other two are my distant ends (Spokes). About once every 6-7 months the Hub and spokes will encounter an issue where they all rekey at the exact same time and get stuck in an MM_WAIT_MSG state until a clear crypto isakmp sa is applied on both ends. This is a problem since the spoke (distant end) is unreachable because it is stuck waiting on a rekey completion from the hub ASA.
Why does this happen and why hasn't Cisco addressed the issue with a timeout? Also, how can I go about resolving the issue?
Find more posts tagged with
Comments
burbankmarc
What ASA software are you running?
SteveThing
I'm not near the devices at the moment, but I believe it is 8.2.4 K8. Whichever is the more current FIPS approved IOS.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
