I have IPSEC tunnels between ten remote IOS routers and a central IOS router. When the IPSEC SA expires after 3600 seconds we are consistently getting data loss through the tunnel. This is causing havoc with some HP DTC which don't seem to handle the data loss very well. The Cisco documentation says that a new security association is negotiated 30 second before the liftime is reach "to ensure that a new security association is ready for use when the old one expires." Has anyone else run into this? One fix is to increase the lifetime.
I suspect that if the ISAKMP and IPSec SA lifetime are both set the same (say 3600 secs), it might take a longer time to renegotiate a new SA. This is becoz both IKE and IPSec parameters need to be renegotiated. Try giving values like ISAKMP=10000 secs and IPSec=5000 secs. See if it again results in the same problem. If it still persists then it could be an IOS bug. By the way, which IOS version are you using ?
The lifetimes are set for default; ISAKMP 86400 sec and IPSEC 3600 sec.
The central site is 2651 ver 12.2(11)T, the remote sites are 1720 with 12.1(1)XC.
I have a case open at TAC They are sending a new AIM VPN module which I plan to install today, I have my doubts about that, but you never know. Also, when I'm working on the network today I was going to increase the IPSEC lifetime to 86400, but maybe I should make it slightly different as you suggested.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...