Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Tunnel instability

Hello Experts,

I am facing some issues with vpn tunnel.I have formed the vpn tunnel between cisco pix (ver 7.2) and fortigate(othervendor).

Once i initiate tunnel from fortigate i can see ike phase up with ipsec up

for eg 1 IKE and 5 IPSEC and all subnets will be reachable at that moment aftersome time few subnets go unreachable.When i check pix i can see IKE phase will be fine but 2 IPSEC up. what might be the reason for this instability?

i set 86400 sec for both phase 1 and phase 2 on both devices

Thanks,

KG

1 REPLY
Cisco Employee

Re: VPN Tunnel instability

Hello,

It could be that the fortigate is maintainig the old IPSec SAs after the lifetime expiration and preventing the PIX from renegotiating new IPSec SAs. The 86400 sec lifetime seems high for phase 2. You can test lowering the IPSec SA lifetime value to 3600 seconds to see if it helps with the stability. A more frequent renegotation of IPSec SAs may help prevent this situation from happening.

crypto ipsec security-association lifetime

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458

330
Views
0
Helpful
1
Replies
CreatePlease to create content