Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC L2L Tunnel hanging between PIX & VPN Concentrator

Problem: IPSEC tunnel configured as pre-share/des/md5 between PIX Firewall(s) & VPN 3030 Concentrator intermittently hang. When this occurs the PIX is showing the SA as still being active (show crypto ipsec sa) whereas the 3030 doesn't. Only solution is to reboot the PIX so SA gets re-established.

PIX Firewall(s) running 6.2 & 6.3

VPN Concentrator running 3.6.3

4 REPLIES
Bronze

Re: IPSEC L2L Tunnel hanging between PIX & VPN Concentrator

Hi,

it could be a rekey issue on IKE/IPSec, try using 3.6.7D on the concentrator, if you are using already, or 4.0 if you will.

If it doesn't help, open a TAC case with the necessary debugs/logs for it to be taken up with the dev.

thx

Afaq

New Member

Re: IPSEC L2L Tunnel hanging between PIX & VPN Concentrator

did you get a resolution? We have a similar problem btween a PIX 501 and PIX 515.

New Member

Re: IPSEC L2L Tunnel hanging between PIX & VPN Concentrator

The TAC response was to make lifetimes identical on PIX & 3030 which didn't make any difference.

New Member

Re: IPSEC L2L Tunnel hanging between PIX & VPN Concentrator

We experienced the same problem you described in your message. Here's a summary of how I was able to fix it.

If the peer (PIX in your case) proposes a shorter lifetime measurement the Concentrator will use that measurement instead. That being said, you have to make sure the PIX is the one calling the shots when it comes to lifetime duration. To change the values on the Concentrator go to:

Configuration | Policy Management | Traffic Management | Security Associations and select the L2L SA. Make sure the Lifetime Measurement is set to Time and the Time Lifetime value is a longer duration than what's configured on the PIX.

My two cents.

Cody Rowland

Infrastructure Engineer

266
Views
0
Helpful
4
Replies
CreatePlease login to create content