Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
2
Replies

VPN3000/c877 problems with rekeying

preinist
Level 1
Level 1

‎08-03-2007 03:58 AM - edited ‎03-09-2019 06:31 PM

Hi,

I'm facing a strange issue in my lab environment (I have a L2L VPN between VPN300 Concentrator and c877 router). After getting the tunnel up and running, the rekeying succeeds 16 times, but the 17th time "tilts" the tunnel. According to "sh crypto engine connections active" and "sh crypto session" commands entered on router, the tunnel seemsto be OK, but no traffic traverses through the tunnel, (e.g. ping fails). The Concentrator log show this message: "Sending IKE Delete With Reason message: Maximum Configured SA Lifetime Exceeded."

I've tried to chance "crypto ipsec security-association lifetime seconds" value, but I still hit this issue as illustrated below.

When "crypto ipsec security-association lifetime seconds" value is set to:

-120, the connection tilts after a half an hour

-28800, the connection tilts after 5,33 days.

How can I change IKE sa lifetime value?Could this be some kind of counter issue? Has anyone come up against with similar issue?

Thanks,

Pete

Labels:
0 Helpful
2 Replies 2

sbilgi
Level 5
Level 5

‎08-09-2007 10:06 AM

All the SAs in every tunnel have a Maximum Lifetime. A little bit before this Lifetime is reached a new SA is created for it to be used after the old one expires. This was designed for security reasons. I think changing the lifetime setting on the peers to use 28800 seconds will ensure that your VPN tunnels stay up much longer. Also if your IPSEC peers support ISAKMP keepalives it would be a good idea to enable them.

0 Helpful

preinist
Level 1
Level 1
In response to sbilgi

‎08-21-2007 01:54 AM

The lifetime value of 28800 is the one we've used (uptime 5.3 days), I just tested the value of 120 to see if the tunnel tils regularly after 16xlifetime has passed. And it did fail after half an hour (matches with 16x120sec).

I'll have to check if the IPSEC peers have support for ISAKMP keepalives. Thanks for you advise...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents