Remote Peer terminates connection immediately after rekeying

Unanswered Question
Jul 30th, 2009

I have an obscure problem. I have an ASA 5510 as the hub device in my network with 33 spoke nodes. The spokes are a mix of 2821 and 2651 routers. My network is fully meshed (to support site-to-site VOIP). I use IPSEC (L2TP) tunnels and “hair pinning” For the most part, everything seems to operate fine with the occasional exception of the rekeying process.

At random intervals when the rekeying process takes place, Phase 2 completes and then immediately the Remote Peer terminates the connection and the rekeying process starts again. This can happen 30 or 40 times in a 25 or 30 second period. The normal rekeying process (lifetime security association) happens in a second or two. During the drawn out rekeying process voice calls between sites experience “one-way” or “no-way” audio. Examination of the ASA logs reveals that the remote proxy subnet in the peer termination seems to always be my voice VLAN at the remote site.

I currently have IPSEC debugging turned on in one of my remote routers to try and capture more info (cause of the termination) but it is so random it is like looking for a needle in a haystack.

Anyone seen this before or have any ideas why the peer would act like this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smalkeric Wed, 08/05/2009 - 08:54

If the users are frequently disconnected across the L2L tunnel, the problem can be the lesser lifetime configured in ISAKMP SA. If any discrepancy occurs in the ISAKMP lifetime, you can recieve the %PIX-5-713092: Group = x.x.x.x, IP = x.x.x.x, Failure during phase 1 rekeying attempt due to collision error message. Configure the same value in both the peers in order to fix it.

The default is 86,400 seconds or 24 hours. As a general rule, a shorter lifetime provides more secure ISAKMP negotiations (up to a point), but, with shorter lifetimes, the security appliance sets up future IPsec SAs more quickly.

A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the policy of the remote peer specifies a lifetime less than or equal to the lifetime in the compared policy. If the lifetimes are not identical, the shorter lifetime-from the policy of the remote peer-is used. If no acceptable match is found, the IKE refuses negotiation, and the IKE SA is not established.

Specify the SA lifetime. This examples sets a lifetime of 4 hours (14400 seconds). The default is 86400 seconds (24 hours).

PIX/ASA

hostname(config)#isakmp policy 2 lifetime 14400

IOS Router:

R2(config)#crypto isakmp policy 10

R2(config-isakmp)#lifetime 86400

If the maximum configured lifetime is exceeded, you receive this error message when the VPN connection is terminated:

Secure VPN Connection terminated locally by the Client. Reason 426: Maximum Configured Lifetime Exceeded.

In order to resolve this error message, set the lifetime value to 0 in order to set the lifetime of an IKE security association to infinity. The VPN will always be connection and will not terminate.

hostname(config)#isakmp policy 2 lifetime 0

Actions

This Discussion