PIX 515E with release 7.1. I have lan to lan vpn (3DES-MD5). It works perfect but if I have a disconnect by timeout or shutdown from the other side; sometimes I see that in the VPN tunnel the TX bytes is in
Mean while I can see the RX counters incrementing.
The tunnel its perfectly established; phase 1 and phase 2 without errors nor warnings.
But in ASDM, while monitoring the VPN, the TX bytes stay at 0 and the RX increment ok.
Does "show crypto ipsec sa" report two active SAs?
The data channels of IPSec are on-way, that's why there are at least two. If the receiver side forget the SA, the received data is silently dropped (as required by the standard). There is not way to determine this loss of data than looking on the SAs on both sides.
Usually this effect does not occur, because the control channel (phase 1) is used to inform the other side about the drop of any SA. Unfortunly the control channel is vulnerable to loss of packets ...