Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is key exchange cause application fail?

Are there any issues with key exchanges causing applications to drop data connections while connected via VPN.

Ex. Some file transfers have been dropped. Also an application they are running (locally) called Team Coherence drops its connection when doing a bulk transfer.

Her is my current config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication samurai

crypto map outside_map interface outside

crypto map outisde_map 20 ipsec-isakmp

crypto map outisde_map 20 set pfs group2

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 3600

vpngroup group address-pool addr_pool

vpngroup group dns-server <private IP>

vpngroup group wins-server <private IP>

vpngroup group default-domain siscocorp.com

vpngroup group split-tunnel siscocorp_splitTunnelAcl

vpngroup group idle-time 1800

vpngroup group password ********

According to my config the key exchange should only take place hourly.

Thanks in advance....

1 REPLY
Silver

Re: Is key exchange cause application fail?

The ISAKMP lifetime only applies to the keys used for IKE encryption that are generated using Diffie-Hellman. A separate set of keys are used for IPSec data encryption and the default is 8 hours. This can be changed with:

crypto ipsec security-association lifetime seconds xxx

However, tunnels are negotiated using the lowest lifetime of the two peers. If the other hosts asks for a lower time, then that one will be used.

So you're using a Cisco client VPN connection directly from the remote app server? The idle-timer is at 30 min. (1800 secs). Do hosts have quiet periods for 30 min? If so, the VPN connection will be dropped. This is probably the source of your issues.

83
Views
0
Helpful
1
Replies
CreatePlease login to create content