Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX501 to VPN3020 Tunnel drops every 6hrs 48mins

Unanswered Question
Aug 25th, 2006
User Badges:

Hello All.

Be grateful if you can shed some light on this wierd problem.

I have 2 pix 501 firewalls on seperate sites connecting back to a central Cisco VPN3020 vpn concentrator.

The 2 VPN's are established without any problems but every 6hrs 48mins the VPN's drop, stay down for 1hour and are then re-established.

The only way we can get round this currently is to reboot the Cisco PIX 501 firewalls. When this is performed the vpn is immediately established but again after 6hrs 48mins the vpn tunnel is dropped.

Any help will be gratefully received.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
puagarwa Fri, 08/25/2006 - 10:33
User Badges:

is this a site to site or ezvpn tunnel?

need some logs from 3020 to know as to why is the tunnel dropping.

can check the phase 1 and phase 2 lifetimes, can enable isakmp keepalives on both pix and 3020.

grant.maynard Fri, 08/25/2006 - 15:06
User Badges:
  • Silver, 250 points or more

The tunnel will drop when the SA lifetimes expire if there is no traffic, else it should stay up.

armstrongi Sat, 08/26/2006 - 13:21
User Badges:

Check these 2 values in your Concentrator under: Configuration | User Management | Base Group (or whatever Group is relevant):

Maximum Connect time = 0

Reauthentication on Rekey = Unchecked

Fernando_Meza Sun, 08/27/2006 - 18:31
User Badges:
  • Gold, 750 points or more

I .. I think your phase two's rekying timing out is causing the issue as per the below example .. See the message "Starting P2 Rekey timer to expire in 24480 seconds" which equals to 6 hrs 48 minutes.

Security negotiation complete for LAN-to-LAN Group (

Responder, Inbound SPI = 0xf629186e, Outbound SPI = 0x524e01e4

May 25 12:49:40 [IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x524e01e4

May 25 12:49:40 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xf629186e

May 25 12:49:40 [IKEv1]: Group =, IP =,

Starting P2 Rekey timer to expire in 24480 seconds

May 25 12:49:40 [IKEv1]: Group =, IP =,

PHASE 2 COMPLETED (msgid=0529ac6b)

Make sure you have the same value in both ends and also it is advisable to configure the same value for phase 1 and two

I hope it helps .. please rate it if it does !!!

cjitnet Mon, 08/28/2006 - 23:39
User Badges:


Thanks for the response.

The max connect time is set to zero.

The Reauthentication on Rekey is unchecked.

Any other idea's.


This Discussion