ASA5510<-->2811 router L2L VPN: Session reset every 24Hrs

Unanswered Question
Apr 3rd, 2009

Hi All,

The L2L session having prod traffic between ASA5510<-->2811 router resets every 24hrs. I believe this is due to default isakmp lifetime (86400Sec).The ASA has option to change the lifetime for the isakmp...

************************************

5510-V1(config-isakmp-policy)# lifetime ?

crypto-isakmp-policy mode commands/options:

<120-2147483647> Lifetime in seconds

none Disable rekey and allow an unlimited rekey period

************************

But the router (2811- c2800nm-advipservicesk9-mz.124-8b.bin) do not have the option..

2811-FW1(config-isakmp)#lifetime ?

<60-86400> lifetime in seconds

Is there anyway we can keep the Tunnel up without loosing it..? If I change on the ASA for this particular 'isakmp policy', does it take effect on the other peers (ex: 2811) which are using this policy to connect or the lower interval always takeover..?

Thank you in advance.

MS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mike_guy29 Fri, 04/03/2009 - 09:27

Hi,

I am unsure if there is the command for the 2811. I have not worked with that specific model. Hopefully someone else can answer that. However with regards to the timers etc I would have thought leaving as is would be ok and a good idea. This means it will refresh the phase 1 tunnel (isakmp sa) every 24hrs. As long as interesting traffic is still being sent then then VPN should just renegotiate.

Hope that helps

Thanks

mvsheik123 Fri, 04/03/2009 - 09:57

Thank you. Iam wondering any if any latest IOS versions got that option on 2811. Lets see if any other 'guru' replies. Also, what is time for isakmp to reestablish/rekey?

Thank you

MS

mike_guy29 Mon, 04/06/2009 - 07:15

Hi,

By default ISAKMP is renegotiated every 24hrs by default.

Hope that helps

Thanks

Actions

This Discussion