I'm facing a strange issue in my lab environment (I have a L2L VPN between VPN300 Concentrator and c877 router). After getting the tunnel up and running, the rekeying succeeds 16 times, but the 17th time "tilts" the tunnel. According to "sh crypto engine connections active" and "sh crypto session" commands entered on router, the tunnel seemsto be OK, but no traffic traverses through the tunnel, (e.g. ping fails). The Concentrator log show this message: "Sending IKE Delete With Reason message: Maximum Configured SA Lifetime Exceeded."
I've tried to chance "crypto ipsec security-association lifetime seconds" value, but I still hit this issue as illustrated below.
When "crypto ipsec security-association lifetime seconds" value is set to:
-120, the connection tilts after a half an hour
-28800, the connection tilts after 5,33 days.
How can I change IKE sa lifetime value?Could this be some kind of counter issue? Has anyone come up against with similar issue?