VPN tunnel lifetimes problem

bryan.lee · ‎06-07-2010

I have a really strange problem with a cisco VPN.

The tunnel is between an ASA running 7.2(3) and a PIX running 8.0(4)

The tunnel drops periodically and takes a while to reestablish. This is a common thing I've run into before when the key lifetimes don't match. Except in this case, they DO match; both the ISAKMP and IPSEC lifetimes. At least the configurations look like they do. BUT, which I do

sh crypto ipsec sa

to view the Security Associations, (0.5 seconds apart) I see that
ASA: sa timing: remaining key lifetime (kB/sec): (2137416/14356)
PIX: sa timing: remaining key lifetime (kB/sec): (1957473/14355)
Which a simple glace will reveal, ARE NOT EVEN CLOSE!
This is after forcing the tunnel to rebuild with

clear crypto ipsec sa

on both ends and trying halving the times from their previous values of 4608000 KB (4 MB) and 28800 seconds.

I figure that the PIX decides the key lifetime is up long before the ASA.

I am going to try increasing the kB lifetime dramatically and reduce the seconds lifetime...

Does anyone have any thoughts on what could cause this or how else to remedy it?

Federico Coto Fajardo · ‎06-07-2010

Bryan,

That's interesting... you've verified under the configuration for both units that the IPsec SA lifetimes match correct?

Normally keepalives or DPD will help the device keep track of the other end and torn down the tunnel if needed (to avoid having the tunnel up on one end until the lifetime expires).

The IPsec SA are the same on both ASA and the PIX globally and/or for this tunnel in particular?

Federico.