I have a hub and spoke VPN. I noticed that when I had a ISAKMP SA of 1000 sec and an IPSec SA of 8 hours, the tunnel would stop passing traffic at random intervals. The ISAKMP SA did not exist in the output from "sh cry isa sa". I then would have to execute "clear cry isa" and "clear cry sa" to resume traffic flow. With the help of the TAC, I set the ISAKMP SA to a longer lifetime than the IPSec SA. SInce then, I have not had any tunnel drops.
1. Why must the ISAKMP SA lifetime be longer than the IPSec SA?
2. What causes traffic to stop flowing?
3. Does an ISAKMP SA have to be present to have traffic flowing through an IPSec tunnel?
Thanks for all answers.