ASA5510<-->2811 router L2L VPN: Session reset every 24Hrs

Unanswered Question
Apr 3rd, 2009
User Badges:
  • Gold, 750 points or more

Hi All,


The L2L session having prod traffic between ASA5510<-->2811 router resets every 24hrs. I believe this is due to default isakmp lifetime (86400Sec).The ASA has option to change the lifetime for the isakmp...

************************************

5510-V1(config-isakmp-policy)# lifetime ?

crypto-isakmp-policy mode commands/options:

<120-2147483647> Lifetime in seconds

none Disable rekey and allow an unlimited rekey period

************************

But the router (2811- c2800nm-advipservicesk9-mz.124-8b.bin) do not have the option..


2811-FW1(config-isakmp)#lifetime ?

<60-86400> lifetime in seconds


Is there anyway we can keep the Tunnel up without loosing it..? If I change on the ASA for this particular 'isakmp policy', does it take effect on the other peers (ex: 2811) which are using this policy to connect or the lower interval always takeover..?


Thank you in advance.


MS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mike_guy29 Fri, 04/03/2009 - 09:27
User Badges:

Hi,


I am unsure if there is the command for the 2811. I have not worked with that specific model. Hopefully someone else can answer that. However with regards to the timers etc I would have thought leaving as is would be ok and a good idea. This means it will refresh the phase 1 tunnel (isakmp sa) every 24hrs. As long as interesting traffic is still being sent then then VPN should just renegotiate.


Hope that helps


Thanks

mvsheik123 Fri, 04/03/2009 - 09:57
User Badges:
  • Gold, 750 points or more

Thank you. Iam wondering any if any latest IOS versions got that option on 2811. Lets see if any other 'guru' replies. Also, what is time for isakmp to reestablish/rekey?


Thank you

MS

mike_guy29 Mon, 04/06/2009 - 07:15
User Badges:

Hi,


By default ISAKMP is renegotiated every 24hrs by default.


Hope that helps


Thanks

Actions

This Discussion