I have a situation with ONE partner/supplier using a Cisco ASA where the route-based tunnel between my SRX-240 and the ASA will not stay up for more than a few minutes at a time. I have examined the kmd log and cannot see the issue. I have no administrative access to the ASA.
- DPD is not on on either side.
- VPN monitor is not on on my side.
Data passes back and forth just fine while the tunnel is up. There is no issue with connectivity to their gateway.
The tunnel just seems to drop every few minutes, and then re-establish successfully and pass data for a while. Then the data passing back and forth stops. A minute or two later the tunnel re-establishes itself and data is flowing again. The log messages show the configs match, to the extent that the "ike debug enable xxx" shows in the kmd log.
I see a tiny handful (32) anti-replay errors looking at ipsec statistics so I don't think that is a big issue.
We have a number of other route-based tunnels on this equipment that do not exhibit this periodic dropping problem, some of which are also ASAs.
I have little experience with ASAs and (and not a lot with the SRX), but I am stumped with this and am putting this out to the community for guidance.
Ideas?