Loss of SA between PIX 515 and VPN concentrator

Unanswered Question
Jan 3rd, 2003
User Badges:


We keep loosing the SA's on the VPN connection between the PIX and VPN concentrator and I can not reinitialize the SA's by just generating the interesting traffic.I have to clear the SA by using the clear ipsec sa and clear isakmp sa commands.PIX is running 6.0(3) software.I have two more VPN connections to other PIX firewalls which do not have any problems.Has anybody faced this problem and how did you resolve it.

Any help is appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Thu, 01/09/2003 - 08:55
User Badges:
  • Silver, 250 points or more

You might want to look at the bugs CSCdt24274 (Ipsec SA not being created at configured 10 min interval with Unity) and CSCdu67799 (IPSEC:pix takes long time to create a 2nd Ipsec tunnel (1 IKE)) though I feel that the problem most likely has to do with configured IPSec and IKE lifetimes (if you have changed them from the defaults). Try going back to the defaults. If I remember correctly, for a PIX, the IKE lifetime is 24 hours and the IPSec lifetime is 8 hours. Also, please remember that this value is accepted in seconds. Could you also try initiating traffic form the Concentrator when the SA's are lost. If that results in new negotiations being trigerred, you probably should take a look at bug CSCdw73828

javedmma Thu, 01/09/2003 - 13:24
User Badges:

The IKE and IPSec lifetimes are same on both the devices.Do you think it could be a PIX IOS issue.PIX is running 6.0(3) and the Concentrator is running 3.5.3

Thank You.

Nelson Rodrigues Thu, 01/09/2003 - 20:44
User Badges:
  • Cisco Employee,

Can you try the latest PIX (6.2.2) and VPN 3000 (3.6.7) to see if this still happens.



mclach Fri, 01/10/2003 - 03:47
User Badges:

Hi ,

Can we get an idea of how often this is actually happening.

Is this happening automatically after the initialisation of the tunnel or after what period of time?

When you are losing the SA's is there any logs left. Perhaps if you can setup a syslog server and run "debug cry ipsec" , "debug cry isa" "debug cry engine" and then take a look if there is anything besides the deletion of your SA"s in the logs.

I do agree with the previous user though 6.2(2) is a pretty good and stable code for VPN.


This Discussion