Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
0
Helpful
4
Replies

IPSEC VPN Problems when renegotiating Keys

j.khandia
Level 1
Level 1

‎10-02-2002 12:07 PM - edited ‎02-21-2020 12:05 PM

I have a PIX 515 6.1(3)

My problem is regarding a IPSEC VPN with IKE between my pix and the remote site router. The VPN uses shared keys.

The issue I have is when the key lifetimes expire and the IKE key axchange is renegotiated.

I lose the VPN connection for about 10 minutes during which the PIX tries to negotiate the key with the remote router. This fails several times and the tunnel eventually connects.

What could be causing this?

I have thought of increasing the key lifetime but this will make the VPN less secure and will not solve the issue.

any thoughts anyone?

I need the tunnel to stay connected with zero downtime at the moment I am losing the connection twice a day which leaves users who are highly reliant without connection.

Labels:
0 Helpful
4 Replies 4

jerry.friedman
Level 1
Level 1

‎10-04-2002 05:57 AM

I have the exact same problem. The suggestions I am getting relates to the "increasing the key life time." In fact also have the PIX 515 with the same IOS you are using. Mine is sitting in front of a Cisco VPN Concentrator 3030. When my tunnels drop, I just reboot my PIX and all is fine again, for about 4 more days. I am going to try the increasing of the Key lifetime and see what is does.

0 Helpful

j.khandia
Level 1
Level 1
In response to jerry.friedman

‎10-04-2002 06:10 AM

Hi,

Thanks for your reply to my posting. Increasing the key lifetime I am told will make the VPN less secure as the keys are not renegotiated as often. The same problem will occur but it will be over a longer period.

The tunnel will close as soon as the key expires even if the key lifetime is doubled and it will have the same issue renegotiating the key.

I have tried extending the key lifetime on the pix and the remote peer and my theory has proved to be true loss of connection after the key expires and problems renegotiating the tunnel.

0 Helpful

hucuncu
Level 1
Level 1
In response to j.khandia

‎10-04-2002 07:16 AM

If you are enable to reach the bug resources of Cisco, please check the following "CSCds53316 Bug" out. It seems there is a software issue/bug.

We suffer with the same problem. "clear ipsec sa" is a temporary solution but only it works at the moment of action.

Have a better day..

Onur DC

0 Helpful

j.khandia
Level 1
Level 1
In response to hucuncu

‎10-04-2002 07:41 AM

Hi,

Can I ask which version of the PIX software you are running?

I am currently running 6.1(3)

I have searched for the bug on the cisco website and found the following article:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/relnotes/pixrn601.htm

if you search for the bug CSCds53316 you mentioned this is a resolved caveat on v 6.01 of the PIX software.

The issue seems to have resurfaced again as I am running a newer version 6.1(3)

Many thanks I will get onto Cisco about this.

0 Helpful
Customers Also Viewed These Support Documents