Anyone getting problems with the inner SA collapsing when it tries to rekey in the newest loads?
debug looks like this:
[IKEv1]: IP = XX.XX.XX.XX, Unable to kick off reykeying!
[IKEv1 DEBUG]: Group = DefaultRAGroup, Username = xxxxx, IP = XX.XX.XX.XX, Active unit starts Phase 2 rekey with remote peer XX.XX.XX.XX
[IKEv1 DEBUG]: Group = DefaultRAGroup, Username = xxxxx, IP = XX.XX.XX.XX, sending delete/delete with reason message
... more packet level messages...
[IKEv1 DEBUG]: Group = DefaultRAGroup, Username = xxxxx, IP = XX.XX.XX.XX, Active unit receives a centry expired event for remote peer XX.XX.XX.XX
This leads me to a few followup questions:
1) I've been working on the ACLs a bit. Can anyone think of a way an ACL or filter might get in the way of a rekey when it doesn't stop an initial negotiation? I can't.
2) As a temporary workaround we want to extend the rekey until we find a fix. It takes the lower of the client or ASA's rekeying interval.
Anyone got a quick link to how to set this on Windows XP, Windows Vista, and OSX? The Windows boxen seem to send 3600 here.