Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC SA renegotiation

I have IPSEC tunnels between ten remote IOS routers and a central IOS router. When the IPSEC SA expires after 3600 seconds we are consistently getting data loss through the tunnel. This is causing havoc with some HP DTC which don't seem to handle the data loss very well. The Cisco documentation says that a new security association is negotiated 30 second before the liftime is reach "to ensure that a new security association is ready for use when the old one expires." Has anyone else run into this? One fix is to increase the lifetime.

Thank you,


  • Other Security Subjects
New Member

Re: IPSEC SA renegotiation

I suspect that if the ISAKMP and IPSec SA lifetime are both set the same (say 3600 secs), it might take a longer time to renegotiate a new SA. This is becoz both IKE and IPSec parameters need to be renegotiated. Try giving values like ISAKMP=10000 secs and IPSec=5000 secs. See if it again results in the same problem. If it still persists then it could be an IOS bug. By the way, which IOS version are you using ?

New Member

Re: IPSEC SA renegotiation

The lifetimes are set for default; ISAKMP 86400 sec and IPSEC 3600 sec.

The central site is 2651 ver 12.2(11)T, the remote sites are 1720 with 12.1(1)XC.

I have a case open at TAC They are sending a new AIM VPN module which I plan to install today, I have my doubts about that, but you never know. Also, when I'm working on the network today I was going to increase the IPSEC lifetime to 86400, but maybe I should make it slightly different as you suggested.

Thanks for the tip,