IPSec VPN Resets before Isakmp Lifetime Expires

Unanswered Question
Apr 7th, 2009

Hi,

I have a IPSec tunnel between ASA5520 and 1841. The ISAKMP lifetime is set to the default 24 hours on both end. No volume limit is configured. But the tunnel resets itself 1.5 hours ahead every day. I need to keep the resetting at night so that my special application won't be broken during work hours.

I thougt the premature resetting was due to IOS version on the router. I upgraded to a new version but did not fix the problem.

Besides the resetting, everything else is working fine.

Any ideas are appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Chuan Liu Mon, 04/13/2009 - 14:08

Hi,

My understanding is that the tunnel will be renegotiated when the ISAKMP lifetime expires. I set the lifetime to the default 24 hours. No volume limit is set. But 1.5 hours before the lifetime expires, the tunnel is broken and renegotiated. My appication is cut off for one minute. So this is not a smooth/graceful resetting. Are there any ways to do this?

Thanks.

thotsaphon Mon, 04/13/2009 - 14:23

Chuan,

I used to see this problem as well. Did you configure the same values on both sides? I mean, the same exact lifetime values of 2 phases have to be configured on both devices.

Toshi

Chuan Liu Mon, 04/13/2009 - 15:56

Hi Toshi,

Yes, both sides do have the similar configuraitons.

Thanks.

Larry

Daniela Herrera Mon, 04/20/2009 - 12:49

Do you have debug information at that time? Is there a specific error when the tunnel goes down or is it just the renegotiation?

The negotiation is supposed to start before the 24 hours, but even if it does, it should not bring the tunnel down. The purpose of the renegotiation is to keep the tunnel available.

I would suggest to retrieve the debugs at that time and see if the tunnel is actually going down and what is the error message.

If it's completely related to the negotiation, you should be able to modify the lifetime on both ends and see it fail at another specific time, that should help verify if that is the problem or if there's something else breaking the connection.

Regards,

Chuan Liu Mon, 04/20/2009 - 16:21

Hi,

One on my logs in ASA is as follows. (IP address is modified.)

------------

Apr 16 2009 00:52:16: %ASA-4-113019: Group = ABC.ABC.177.202, Username = ABC.ABC.177.202, IP = NZ_Router, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 22h:48m:33s, Bytes xmt: 983291523, Bytes rcv: 982279579, Reason: Idle Timeout

Apr 16 2009 23:40:50: %ASA-3-713902: Group = ABC.ABC.177.202, IP = ABC.ABC.177.202, Removing peer from peer table failed, no match!

Apr 16 2009 23:40:50: %ASA-3-713902: Group = ABC.ABC.177.202, IP = ABC.ABC.177.202, Removing peer from peer table failed, no match!

Apr 16 2009 23:40:50: %ASA-4-713903: Group = ABC.ABC.177.202, IP = ABC.ABC.177.202, Error: Unable to remove PeerTblEntry

Apr 16 2009 23:40:50: %ASA-4-113019: Group = ABC.ABC.177.202, Username = ABC.ABC.177.202, IP = NZ_Router, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 22h:48m:32s, Bytes xmt: 751281811, Bytes rcv: 1447481492, Reason: User Requested

------------------

The disconnection reason can be either 'User Requested' or 'Idle Timeout'. When 'Idle Timeout', the application won't get dropped; when 'User Requested', the application gets dropped.

Thanks.

Actions

This Discussion