cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
734
Views
0
Helpful
4
Replies

PIX 506 to Concentrator connection dropouts

cfiegert
Level 1
Level 1

Hi,

we have setup a PIX 506e to connect to an unknown Cisco concentrator in the US (managed by a third party). The VPN is up and working, however occasionally the VPN drops out and we get the following error:

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): red'd delete notify from ISAKMP

IPSEC(sa_find_prot): invalid protocol on SADB lookup

I'm assuming its a timeout error, so both the PIX and the concentrator have their lifetimes now set to 86400. When this occurs the only way to get the two to reconnect is to reload the PIX.

thoughts...

4 Replies 4

bwalchez
Level 4
Level 4

I am really not sure about this problem, but you could try these debug commands to get a better picture on this problem

* debug crypto engine - Shows the traffic that is encrypted.

* debug crypto ipsec - To see the IPSec negotiations of phase 2.

* debug crypto isakmp - To see the ISAKMP negotiations of phase 1.

yep, thats how I got the info out that was included in the original post.

I'm going to try to stagger the PIX so that it does a reset every half day, but I shouldnt have to do this.

I should be able to keep the connection permanantly up????

See if enabling ike keepalive would help. Set it on the group for the lan to lan on the concentrator, and enable isakmp keepalive on pix.

http://www.cisco.com/warp/customer/471/renegotiate.html

Regards,

i have set keepalive on the pix to be 180 seconds and it still dropped out overnight. As I dont control the VPN Concentrator (third party), what has to be set on this??

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: