I have a really strange problem with a cisco VPN.
The tunnel is between an ASA running 7.2(3) and a PIX running 8.0(4)
The tunnel drops periodically and takes a while to reestablish. This is a common thing I've run into before when the key lifetimes don't match. Except in this case, they DO match; both the ISAKMP and IPSEC lifetimes. At least the configurations look like they do. BUT, which I do
sh crypto ipsec sa
to view the Security Associations, (0.5 seconds apart) I see that
ASA: sa timing: remaining key lifetime (kB/sec): (2137416/14356)
PIX: sa timing: remaining key lifetime (kB/sec): (1957473/14355)
Which a simple glace will reveal, ARE NOT EVEN CLOSE!
This is after forcing the tunnel to rebuild with
clear crypto ipsec sa
on both ends and trying halving the times from their previous values of 4608000 KB (4 MB) and 28800 seconds.
I figure that the PIX decides the key lifetime is up long before the ASA.
I am going to try increasing the kB lifetime dramatically and reduce the seconds lifetime...
Does anyone have any thoughts on what could cause this or how else to remedy it?