Options

ASAs and crypto expiration

SteveThingSteveThing Member Posts: 42 ■■□□□□□□□□
in CCNP Security
Hello,

This isn't a lab problem, but a real-world issue. I've got three ASA 5520s where one is the central peer (Hub) and the other two are my distant ends (Spokes). About once every 6-7 months the Hub and spokes will encounter an issue where they all rekey at the exact same time and get stuck in an MM_WAIT_MSG state until a clear crypto isakmp sa is applied on both ends. This is a problem since the spoke (distant end) is unreachable because it is stuck waiting on a rekey completion from the hub ASA.

Why does this happen and why hasn't Cisco addressed the issue with a timeout? Also, how can I go about resolving the issue?
CompTIA: Net+, Sec+
Aruba: ACMA, ACMP
Air Force:
2E251, 3D152, Fiber Installation Expert, Certified Cryptographic Network Professional, and a couple hundred useless certs on nothing important in real life (aka, Tree Killing+)
· Share on FacebookShare on Twitter

Comments

  • Options
    burbankmarcburbankmarc Member Posts: 460
    What ASA software are you running?
    · Share on FacebookShare on Twitter
  • Options
    SteveThingSteveThing Member Posts: 42 ■■□□□□□□□□
    I'm not near the devices at the moment, but I believe it is 8.2.4 K8. Whichever is the more current FIPS approved IOS.
    CompTIA: Net+, Sec+
    Aruba: ACMA, ACMP
    Air Force:
    2E251, 3D152, Fiber Installation Expert, Certified Cryptographic Network Professional, and a couple hundred useless certs on nothing important in real life (aka, Tree Killing+)
    · Share on FacebookShare on Twitter
Sign In or Register to comment.