10-02-2002 12:07 PM - edited 02-21-2020 12:05 PM
I have a PIX 515 6.1(3)
My problem is regarding a IPSEC VPN with IKE between my pix and the remote site router. The VPN uses shared keys.
The issue I have is when the key lifetimes expire and the IKE key axchange is renegotiated.
I lose the VPN connection for about 10 minutes during which the PIX tries to negotiate the key with the remote router. This fails several times and the tunnel eventually connects.
What could be causing this?
I have thought of increasing the key lifetime but this will make the VPN less secure and will not solve the issue.
any thoughts anyone?
I need the tunnel to stay connected with zero downtime at the moment I am losing the connection twice a day which leaves users who are highly reliant without connection.
10-04-2002 05:57 AM
I have the exact same problem. The suggestions I am getting relates to the "increasing the key life time." In fact also have the PIX 515 with the same IOS you are using. Mine is sitting in front of a Cisco VPN Concentrator 3030. When my tunnels drop, I just reboot my PIX and all is fine again, for about 4 more days. I am going to try the increasing of the Key lifetime and see what is does.
10-04-2002 06:10 AM
Hi,
Thanks for your reply to my posting. Increasing the key lifetime I am told will make the VPN less secure as the keys are not renegotiated as often. The same problem will occur but it will be over a longer period.
The tunnel will close as soon as the key expires even if the key lifetime is doubled and it will have the same issue renegotiating the key.
I have tried extending the key lifetime on the pix and the remote peer and my theory has proved to be true loss of connection after the key expires and problems renegotiating the tunnel.
10-04-2002 07:16 AM
If you are enable to reach the bug resources of Cisco, please check the following "CSCds53316 Bug" out. It seems there is a software issue/bug.
We suffer with the same problem. "clear ipsec sa" is a temporary solution but only it works at the moment of action.
Have a better day..
Onur DC
10-04-2002 07:41 AM
Hi,
Can I ask which version of the PIX software you are running?
I am currently running 6.1(3)
I have searched for the bug on the cisco website and found the following article:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/relnotes/pixrn601.htm
if you search for the bug CSCds53316 you mentioned this is a resolved caveat on v 6.01 of the PIX software.
The issue seems to have resurfaced again as I am running a newer version 6.1(3)
Many thanks I will get onto Cisco about this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide