Hi folks,
Recently we migrated our VPN connection of two office locations from "Sonicwall TZ170 Cisco VPN3000" to a new "Cisco ASA5510 Cisco ASA5520" site to site tunnel. The IKE/IPsec tunnels have been up for two weeks and the networks on both ends can reach each other.
On one location we have a Veritas Netbackup media server which is also a backup client and on the other there is the master server. Since that VPN migration we experience problems with backups that take long (about one hour or longer). It appears that the firewall somehow kills the TCP sessions. The backup client complains about broken networks, socket errors and timeouts waiting for database connections. I increased the default idle timeout on the ASA from 1 hour to 72 hour but with no success. Idle telnet sessions keep now open but the Netbackup stuff still has these network problems.
Any ideas what is causing the trouble? Here's the VPN config on both ASA's:
==CUT== timeout xlate 3:00:00 timeout conn 72:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolutegroup-policy adnvpn internal group-policy adnvpn attributes vpn-simultaneous-logins 6 vpn-idle-timeout none vpn-session-timeout none vpn-tunnel-protocol IPSec l2tp-ipsec ip-comp disable re-xauth disable group-lock none pfs disable
crypto map outside_map 80 match address outside_80_cryptomap crypto map outside_map 80 set pfs crypto map outside_map 80 set connection-type answer-only crypto map outside_map 80 set peer 123.123.123.123 crypto map outside_map 80 set transform-set ESP-3DES-SHA crypto map outside_map 80 set security-association lifetime seconds
86400 crypto map outside_map 80 set security-association lifetime kilobytes 2147483647tunnel-group 123.123.123.123 type ipsec-l2l tunnel-group 123.123.123.123 general-attributes default-group-policy adnvpn ==CUT==
Thanks in advance.
Regards, Bernd