Re: ike phase 1 lifetime, asa with netscreen

pawel1942 · ‎06-10-2009

Hi all

Ipsec, L2L, in configuration I set 8h, on both side

IKE Peer: x.y.z.w

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : SHA

Auth : preshared Lifetime: 28800

Lifetime Remaining: 24897

but in logs, keys are changing in every 6 hours:

Jun 6 11:17:46 masterasa Jun 06 2009 11:17:46: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w Freeing previously allocated memory for authorization-dn-attributes

Jun 6 17:17:46 masterasa Jun 06 2009 17:17:46: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w, Freeing previously allocated memory for authorization-dn-attributes

Jun 6 23:17:46 masterasa Jun 06 2009 23:17:46: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w , Freeing previously allocated memory for authorization-dn-attributes

Jun 7 05:17:47 masterasa Jun 07 2009 05:17:47: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w, Freeing previously allocated memory for authorization-dn-attributes

Someone knows what's reason of that ?

thanks

srue · ‎06-10-2009

i've never seen that before, especially if the lifetime is the same on both sides.

what is the output of "show isa sa detail" on the cisco equipment, and the equivalent output on the other hardware?

pawel1942 · ‎06-12-2009

Hi

it's my sh crypto isakmp sa detail

IKE Peer: x.y.z.w

Type : L2L

Role : initiator

Rekey : no

State : MM_ACTIVE

Encrypt : 3des

Hash : SHA

Auth : preshared Lifetime: 28800

Lifetime Remaining: 12134

my conf:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

On the netscreen side is exactly the same

i don't have any idea what's the reason of this

greetings

Pavel