cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2587
Views
0
Helpful
5
Replies

Asa5520 Isakmp Rekeying SA

joel.kriske
Level 1
Level 1

When the Isakmp Sa rekeying takes place, does the Asa drop all current connections? Do the connections get dropped when the Ipsec Sa lifetime expires? And, one more, is there a standard design philosoply regarding the Isakmp Sa lifetime and the Ipsec Sa lifetime? Hope not too may ?'s for one post. Thanks.

5 Replies 5

Not applicable

I don't think that during Isakmp sa rekeying the connections are dropped but during ipsec sa lifetime expiry I think that connections are dropped. Following links may help you

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ike.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

Thanks for the reply. I have both my isa and ipsec sa's set to timeout at 43200. I don't know whether using the same time is good or bad yet. Anyway, I have been telnet'd into these Asa's alot since I put them in and have seen several rekeys. I have not seen any disconnects at all during the rekeys. The rekeys don't wait until the time is up either. They usually happen somewhere around 5000-6000 seconds left. Thanks again.

Joel,

The re-key should happen around 75% of the lifetime specified. So, if it is set to one hour, then at around 45 minutes...the re-key happens.

Also, during the re-key the connections should not be dropped.

deb cry isa 190

deb cry ipsec 190

Enable those debugs on the ASA, and you will be able to find out what is happening during this time.

I will be able to take a look at the debugs and let you know what is happening.

Cheers

Gilbert

Gilbert, I figured out the issue. Exceed opens several tcp connects. Using a sniffer I was able to see where the Exceed idle tcp connects were getting dropped by the Asa and that would in turn take down the active tcp connect. I since extended the tcp idle timeout and the drops stopped. Working with TAC I received a Modular Policy Framework resolution to set tcp idle timeouts for individual tcp connects (vs the global timeout). Thanks for the assistance!

Joel,

Glad to know!! :)

Sharing your MPF in this case would help out others as well. :) Just a thought!!

Gilbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: