cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
406
Views
0
Helpful
4
Replies

Loss of SA between PIX 515 and VPN concentrator

javedmma
Level 1
Level 1

Hi,

We keep loosing the SA's on the VPN connection between the PIX and VPN concentrator and I can not reinitialize the SA's by just generating the interesting traffic.I have to clear the SA by using the clear ipsec sa and clear isakmp sa commands.PIX is running 6.0(3) software.I have two more VPN connections to other PIX firewalls which do not have any problems.Has anybody faced this problem and how did you resolve it.

Any help is appreciated.

Thanks.

4 Replies 4

mchin345
Level 6
Level 6

You might want to look at the bugs CSCdt24274 (Ipsec SA not being created at configured 10 min interval with Unity) and CSCdu67799 (IPSEC:pix takes long time to create a 2nd Ipsec tunnel (1 IKE)) though I feel that the problem most likely has to do with configured IPSec and IKE lifetimes (if you have changed them from the defaults). Try going back to the defaults. If I remember correctly, for a PIX, the IKE lifetime is 24 hours and the IPSec lifetime is 8 hours. Also, please remember that this value is accepted in seconds. Could you also try initiating traffic form the Concentrator when the SA's are lost. If that results in new negotiations being trigerred, you probably should take a look at bug CSCdw73828

The IKE and IPSec lifetimes are same on both the devices.Do you think it could be a PIX IOS issue.PIX is running 6.0(3) and the Concentrator is running 3.5.3

Thank You.

Can you try the latest PIX (6.2.2) and VPN 3000 (3.6.7) to see if this still happens.

Thanks.

Nelson

mclach
Level 1
Level 1

Hi ,

Can we get an idea of how often this is actually happening.

Is this happening automatically after the initialisation of the tunnel or after what period of time?

When you are losing the SA's is there any logs left. Perhaps if you can setup a syslog server and run "debug cry ipsec" , "debug cry isa" "debug cry engine" and then take a look if there is anything besides the deletion of your SA"s in the logs.

I do agree with the previous user though 6.2(2) is a pretty good and stable code for VPN.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: