We have two Cisco ASA's (5510 and 5520) and a site-to-site VPN between them for connecting two company office networks. I can connect from both ends to the other network. Two problems:
(1) Last week for some strange reason the NAT exemption rules obviously were lost on both firewalls:
access-list nonat extended permit ip object-group Office1 object- group Office2 nat (inside) 0 access-list nonat
The debug logfiles on our log servers don't show that these rules have been deleted and after every change I make a "write mem" to save the current config to the flash memory so that it will be availabe. Does sombody know why the hell it is possible that a rule can evaporate?
(2) Recently the firewall started to terminate Telnet/SSH sessions after just a few minutes. SSH says "Connection reset by peer" and the entry in the firewall logfile is:
Teardown TCP connection 779176 for outside:192.168.94.18/13701 to inside:192.168.5.22/30798 duration 0:01:31 bytes 18 Tunnel has been torn down
The TCP timeout settings of both firewalls are:
# show running-config timeout timeout xlate 3:00:00 timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute
I increased the idle timeout to 24 hours. The default was one hour and the users complained that SSH sessions close after an hour.
Does somebody have an idea what can be the cause of this problem? May it be a problem in the underlying internet provider and internet connection?
Thanks in advance.