ASA 7.2(1) L2L VPN Issues

Unanswered Question
Apr 24th, 2007

Hi All,

I am having some problems with several of my l2l on ASA5550's. When ever I initiate the tunnel by ssh'ing to a host on the remote site I get the following 'Connection closed by foreign host' immediately after. I ran a debug cry isa 127 and debug cry ips 127 on the remote ASA5550 and saw the following "Sending IPSec Delete With Reason message: Maximum Configured SA Lifetime Exceeded."

Any ideas would be greatly appreciated.

--Jose

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sadbulali Mon, 04/30/2007 - 11:29

All the SAs in every tunnel have a Maximum Lifetime. A little bit before this Lifetime is reached a new SA is created for it to be used after the old one expires. This was designed for security reasons. Changing the lifetime setting on the peers to some higher value in seconds may help, this will ensure that your VPN tunnels stay up much longer. Also if your IPSEC peers support ISAKMP keepalives it would be a good idea to enable them.

Actions

This Discussion