Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
252
Views
0
Helpful
4
Replies

PIX to Netscreen VPN

agoodwin
Level 1
Level 1

‎03-17-2003 04:23 AM - edited ‎02-21-2020 12:25 PM

Hi all,

Does anyone have this situation working properly? My issue is that when the line drops for whatever reason the netscreen and pix fail to re-negotiate automatically. If I reboot both, or clear crypto ipsec sa etc on them both they re-negotiate fine. If the sa timeout expires I think they eventually work too. From syslog it appears that I get "invalid" spi for this site-site.

Any idea's?

cheers for any help.

Andy

The pix is 6.22, the netscreen has older software however - this is managed by another party so im a little lacking on knowledge with it.

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎03-17-2003 05:19 PM

This is because in the IPSec/ISAKMP protocol specs there's nothing that talks about keepalives or anything similar, so if one end dies the other end never knows about it. If you manually clear the SA's, the PIX will send a Delete notification to the other end telling it to clear its SAs also, but this doesn't work if the PIX or Netscreen crashes/reboots/etc.

Cisco devices can run a regular ISAKMP Keepalive mechanism between them ("crypto isakmp keepalive" command), but this is propietary (since as I said there is no standard), so they'll know when the other end has gone down, but this won't work to a NetScreen.

0 Helpful

mostiguy
Level 6
Level 6
In response to gfullage

‎03-18-2003 05:13 AM

Would his best bet to lower the connection agreement lifetimes so that renewal occurs more frequently?

0 Helpful

agoodwin
Level 1
Level 1
In response to mostiguy

‎03-18-2003 05:53 AM

cheers for the replies guys.

I have the timeout to 28800 at the moment.

Is that too long do you think?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to agoodwin

‎03-18-2003 02:56 PM

There's two timers, one for Phase 1 (ISAKMP) and one for Phase 2 (IPSec data). The PIX efaults to 24 hours for Phase 1 and 28800 minutes (8 hours) for Phase 2. It'll be the Phase 2 lifetime you want to change.

You can set it down low so that it'll be rebuilt more often, which will sort of get around the problem, although you still will have an outage. The more often the SA's are rebuilt though the more load it puts on both boxes, so don't set it too low.

I normally set them to 1 hour, but in your case you may want this a lot smaller, I wouldn't go with anything less than 10 minutes or so though, which worse case scenario still means a 10 minute outage. Make sure you set these on both sides also.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents