Saju,

On the 2811 config there does not appear to be any ipsec or isakmp lifetime statements, so I think it would be using the default values for phases 1 and 2?

Is there a way to get the router to output the configured lifetimes?

"show crypto isakmp policy" and "show crypto ipsec sa" can show you lifetime .

As expected, the isakmp lifetime is 86400, but for ipsec it merely reports how much time is left in the current sa.

For example:

router#show crypto isakmp policy

Global IKE policy

Protection suite of priority 3

encryption algorithm: Three key triple DES

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

router#show crypto ipsec sa

interface: Virtual-Access4

Crypto map tag: Virtual-Access4-head-0, local addr 209.XXX.XXX.82

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 75.XXX.XXX.179 port 4500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 681527, #pkts encrypt: 681527, #pkts digest: 681527

#pkts decaps: 670316, #pkts decrypt: 670316, #pkts verify: 670316

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 209.XXX.XXX.82, remote crypto endpt.: 75.XXX.XXX.179

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: 0xF0C2D65C(4039300700)

inbound esp sas:

spi: 0x2A7171E4(712077796)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 4093, flow_id: NETGX:2093, crypto map: Virtual-Access4-head-0

sa timing: remaining key lifetime (k/sec): (4577435/1047)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xF0C2D65C(4039300700)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 4094, flow_id: NETGX:2094, crypto map: Virtual-Access4-head-0

sa timing: remaining key lifetime (k/sec): (4572865/1027)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

so phase1 is 86400 seconds and phase 2 is 3600 seconds.thats ok

you can also consider enabling isakmp keepalives between vpn nodes.

is that something that should be configured only on the server or also on the clients?

Hi Cameron,

On both sides , server as well as clients.

crypto isakmp keepalive seconds [retries] [periodic | on-demand]

example: crypto isakmp keepalive 20

From the link below :

crypto isakmp keepalive

To allow the gateway to send dead peer detection (DPD) messages to the peer, use the crypto isakmp keepalive command in global configuration mode

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_c2gt.html#wp1199835

HTH

Saju

Pls rate helpful posts

I had insert a similar statement yesterday on the server:

crypto isakmp keepalive 10 periodic

Should I set it to 20 sec instead of 10?

Anyway... where else can we look for the problem? The drops do not seem to occur at regular intervals, its somewhat random and for that reason I didn't suspect sa reconnection to be the culprit. And as I mentioned one of the clients (the router in my home office) doesn't seem to be dropped very often if at all.

However, I have now gone ahead and set the keepalive 20 on the remote routers.

So... what next?