Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
781
Views
0
Helpful
3
Replies

VPN Up Then Down Then Dead

cshepp
Level 1
Level 1

‎12-07-2006 04:47 AM - edited ‎03-11-2019 02:05 AM

Hi, have a strange one on the Pix'es and VPN site-to-site:

Pix515e (v7.0(5)) is the hub and Pix 506e is the branch. Can set up and initialize a VPN tunnel between them, IKE and IPSEC work, policies are the same including lifetimes and users can send data in the l2l tunnel. However after a length of time (seems random but always greater than 2 hrs) the VPN session dies and will not re-initialize even though "interesting" traffic is triggering the connection. An error message of "unable to remove PeerTbleEntry" appears. I then have to manually change the SA lifetime on both Pixes and the VPN comes back up. I do not know what is going on or why I need to manually change the SA. If I leave the Pixes for about 2hrs the VPN tunnel re-establishes on it's own; however that is 2hrs of downtime. I set up a PING -t to see if the tunnel would remain open and after a length of time (random but more than 2hrs) the VPN tunnel crashes again. Bandwidth utilization/memory/CPU is low so no buffer worries. I remote to the Pix 506e and Pix 515 outside the VPN and those SSH connections do not crash.

Any ideas?

Thanks.

Labels:
0 Helpful
3 Replies 3

cshepp
Level 1
Level 1

‎12-08-2006 08:12 AM

Think I solved the problem. Out of despair I decided to change the transform-sets. Confirmed that both sides were exactly the same first. I changed from MD5 to SHA....and the VPN has remained stable for 12hrs now. But I don't understand why this is so? I plan on changing back to MD5 on the weekend to see if the original problem can be replicated.

In the meantime does any one know why a change from MD5 to SHA would potentially "stabilize" a VPN tunnel??

Thanks

Colin

0 Helpful

t-heeter
Level 1
Level 1
In response to cshepp

‎12-08-2006 08:57 AM

Not positive about this, but if you don't want the tunnel to go down I think you should look at

isakmp keepalive

0 Helpful

cshepp
Level 1
Level 1
In response to t-heeter

‎12-08-2006 09:56 AM

Sorry, should have indicated that was already configured on the tunnels.

But thanks for your reply.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card