VPN Tunnel instability

Unanswered Question

Hello Experts,

I am facing some issues with vpn tunnel.I have formed the vpn tunnel between cisco pix (ver 7.2) and fortigate(othervendor).

Once i initiate tunnel from fortigate i can see ike phase up with ipsec up

for eg 1 IKE and 5 IPSEC and all subnets will be reachable at that moment aftersome time few subnets go unreachable.When i check pix i can see IKE phase will be fine but 2 IPSEC up. what might be the reason for this instability?

i set 86400 sec for both phase 1 and phase 2 on both devices

Thanks,

KG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
witsang Fri, 08/20/2010 - 18:00

Hello,


It could be that the fortigate is maintainig the old IPSec SAs after the lifetime expiration and preventing the PIX from renegotiating new IPSec SAs. The 86400 sec lifetime seems high for phase 2. You can test lowering the IPSec SA lifetime value to 3600 seconds to see if it helps with the stability. A more frequent renegotation of IPSec SAs may help prevent this situation from happening.


crypto ipsec security-association lifetime

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458

Actions

This Discussion