SA time lifetime resets VPN tunnel between ASA and Juniper Netscreen

Unanswered Question
Jan 16th, 2009

I have a L2L VPN tunnel from our ASA to a customer's Juniper Netscreen. The tunnel is up but whenever the SA time lifetime is reached, the tunnel resets itself (it drops the tunnel). It is able to re-establish itself automatically, but the customer is alerted by their monitoring processes whenever this happens.

The tunnel should remain on even when the SA lifetime is reached - especially since it is able to re-establish it. I've searched these forums and haven't seen a problem like this. We're running Cisco Adaptive Security Appliance Software Version 7.0(7).

We used to use VPN Concentrators but we have switched to ASA and I'm not that familiar so if someone has some troubleshooting steps, I'd appreciate it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
htarra Thu, 01/22/2009 - 13:43

We are receiving "Initial-Contact" Notifications at the 8 hour expiration of the lifetime value. This is why the sessions get dropped. This is not the normal Phase1 re-key process. On a normal Phase1 re-key sessions will be maintained.

This is not seen on Netscreen to Netscreen VPN tunnels; nor is it seen on our tunnels to Cisco PIX firewalls at other locations.

Actions

This Discussion