ike phase 1 lifetime, asa with netscreen

Unanswered Question
Jun 10th, 2009

Hi all


Ipsec, L2L, in configuration I set 8h, on both side



IKE Peer: x.y.z.w

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : SHA

Auth : preshared Lifetime: 28800

Lifetime Remaining: 24897



but in logs, keys are changing in every 6 hours:



Jun 6 11:17:46 masterasa Jun 06 2009 11:17:46: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w Freeing previously allocated memory for authorization-dn-attributes


Jun 6 17:17:46 masterasa Jun 06 2009 17:17:46: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w, Freeing previously allocated memory for authorization-dn-attributes


Jun 6 23:17:46 masterasa Jun 06 2009 23:17:46: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w , Freeing previously allocated memory for authorization-dn-attributes


Jun 7 05:17:47 masterasa Jun 07 2009 05:17:47: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w, Freeing previously allocated memory for authorization-dn-attributes


Someone knows what's reason of that ?


thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Wed, 06/10/2009 - 07:53

i've never seen that before, especially if the lifetime is the same on both sides.

what is the output of "show isa sa detail" on the cisco equipment, and the equivalent output on the other hardware?

pawel1942 Fri, 06/12/2009 - 06:01

Hi


it's my sh crypto isakmp sa detail


IKE Peer: x.y.z.w

Type : L2L

Role : initiator

Rekey : no

State : MM_ACTIVE

Encrypt : 3des

Hash : SHA

Auth : preshared Lifetime: 28800


Lifetime Remaining: 12134



my conf:


crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800


On the netscreen side is exactly the same


i don't have any idea what's the reason of this


greetings

Pavel

Actions

This Discussion