cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
659
Views
0
Helpful
1
Replies

VPN Tunnel instability

pramod
Level 1
Level 1

Hello Experts,

I am facing some issues with vpn tunnel.I have formed the vpn tunnel between cisco pix (ver 7.2) and fortigate(othervendor).

Once i initiate tunnel from fortigate i can see ike phase up with ipsec up

for eg 1 IKE and 5 IPSEC and all subnets will be reachable at that moment aftersome time few subnets go unreachable.When i check pix i can see IKE phase will be fine but 2 IPSEC up. what might be the reason for this instability?

i set 86400 sec for both phase 1 and phase 2 on both devices

Thanks,

KG

1 Reply 1

witsang
Cisco Employee
Cisco Employee

Hello,

It could be that the fortigate is maintainig the old IPSec SAs after the lifetime expiration and preventing the PIX from renegotiating new IPSec SAs. The 86400 sec lifetime seems high for phase 2. You can test lowering the IPSec SA lifetime value to 3600 seconds to see if it helps with the stability. A more frequent renegotation of IPSec SAs may help prevent this situation from happening.

crypto ipsec security-association lifetime

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: