VPN problem after internet disconnection

fzaynoun · ‎02-08-2009

I made a VPN site 2 site connection using PIX515E on my side (not sure about device on other side). Today the VPN connection was down all the day. however i could ping the other site using the real IP using the firewall itself.

I had to clear the SA of ISAKMP and IPSEC in order to repair the problem. (clear crypto isakmp SA and clear crypto ipsec SA) So i wonder, what could be wrong ?

Both sites have similar config:

********Isakmp***********

encryption:AES-256

Hash: SHA-1

Diffie-Hellmann Group 2

Lifetime:1440min

IKE keepalive: No

*********Ipsec*********

encryption:esp-aes

Authent: esp-sha-hmac

PFS: no

SA lifetime: 3600sec, 4608000 kByte

I thought the devices themself should maintain the connection, refresh it on demand... However it seems like they're not doing so, anything i can do ?

Thanks

celiocarreto · ‎02-09-2009

Hi,

the only thing you can do is to enable "isakmp keepalive". With this command the pix sends periodically an "Are you there" paket to check the isakmp state.

But this must be supported from the other side!

Another way is maybe to reduce the isakmp lifetime.

Regards, Celio

fzaynoun · ‎02-09-2009

Thanks for your help, i will give it a try.

But isn't supposed that the connection to be maintained by firewall in some sort ? Maybe the problem is in the other side ? Why i should delete SAs ? is the problem in the first phase or second phase ? (from my config)