I have problems with ipsec tunnels on pix 525 7.0. For some time everything is ok and then tunnels a messed up. when I go to monitor and then VPN and then look list of lan to lan tunnels, I can see that rx bytes is incrementing as remote location is sending data but tx is zero. Only firewall restart helps. Any ideas? I'v tried everything, changeing from dynamic map to static, I've tried with upgrades, now I am on 7.0(2). Here is the part of config, I am using 3600 sec timeouts on peer side
access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.88
255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.72 255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.24 255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.32 255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.c.216 255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.16255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.24
255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.64255.255.255.248 access-list intf2_x.x.ccryptomap_dyn_1000 extended permit ip any x.x.b.80
255.255.255.248timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 3 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none
vpn-sessiondb max-session-limit 200
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map intf2_vip_cdyn_map 1000 match address intf2_vip_ccryptomap_dyn_1000 crypto dynamic-map intf2_vip_cdyn_map 1000 set transform-set ESP-3DES-SHA ESP-DES-MD5 crypto dynamic-map intf2_vip_cdyn_map 1000 set security-association lifetime kilobytes
2147483647 crypto dynamic-map intf2_vip_cdyn_map 1000 set nat-t-disablecrypto map intf2_vip_cmap 65535 ipsec-isakmp dynamic intf2_vip_cdyn_map crypto map intf2_vip_cmap interface intf2_vip
isakmp enable intf2_vip isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 isakmp disconnect-notify
tunnel-group DefaultL2LGroup type ipsec-l2l tunnel-group DefaultL2LGroup ipsec-attributes trust-point kevin.erste.hr tunnel-group DefaultRAGroup type ipsec-ra tunnel-group DefaultRAGroup ipsec-attributes trust-point kevin.erste.hr tunnel-group x.x.251.1 type ipsec-l2l tunnel-group x.x.251.1 ipsec-attributes pre-shared-key * tunnel-group x.x.251.2 type ipsec-l2l tunnel-group x.x.251.2 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.251.3 type ipsec-l2l tunnel-group x.x.251.3 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.251.4 type ipsec-l2l tunnel-group x.x.251.4 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.251.5 type ipsec-l2l tunnel-group x.x.251.5 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.1 type ipsec-l2l tunnel-group x.x.250.1 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.2 type ipsec-l2l tunnel-group x.x.250.2 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.3 type ipsec-l2l tunnel-group x.x.250.3 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.4 type ipsec-l2l tunnel-group x.x.250.4 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.6 type ipsec-l2l tunnel-group x.x.250.6 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.7 type ipsec-l2l tunnel-group x.x.250.7 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.8 type ipsec-l2l tunnel-group x.x.250.8 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.9 type ipsec-l2l tunnel-group x.x.250.9 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.10 type ipsec-l2l tunnel-group x.x.250.10 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.11 type ipsec-l2l tunnel-group x.x.250.11 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.12 type ipsec-l2l tunnel-group x.x.250.12 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.13 type ipsec-l2l tunnel-group x.x.250.13 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.14 type ipsec-l2l tunnel-group x.x.250.14 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group x.x.250.15 type ipsec-l2l tunnel-group x.x.250.15 ipsec-attributes pre-shared-key * isakmp keepalive disable