Does anyone have this situation working properly? My issue is that when the line drops for whatever reason the netscreen and pix fail to re-negotiate automatically. If I reboot both, or clear crypto ipsec sa etc on them both they re-negotiate fine. If the sa timeout expires I think they eventually work too. From syslog it appears that I get "invalid" spi for this site-site.
cheers for any help.
The pix is 6.22, the netscreen has older software however - this is managed by another party so im a little lacking on knowledge with it.
This is because in the IPSec/ISAKMP protocol specs there's nothing that talks about keepalives or anything similar, so if one end dies the other end never knows about it. If you manually clear the SA's, the PIX will send a Delete notification to the other end telling it to clear its SAs also, but this doesn't work if the PIX or Netscreen crashes/reboots/etc.
Cisco devices can run a regular ISAKMP Keepalive mechanism between them ("crypto isakmp keepalive" command), but this is propietary (since as I said there is no standard), so they'll know when the other end has gone down, but this won't work to a NetScreen.
There's two timers, one for Phase 1 (ISAKMP) and one for Phase 2 (IPSec data). The PIX efaults to 24 hours for Phase 1 and 28800 minutes (8 hours) for Phase 2. It'll be the Phase 2 lifetime you want to change.
You can set it down low so that it'll be rebuilt more often, which will sort of get around the problem, although you still will have an outage. The more often the SA's are rebuilt though the more load it puts on both boxes, so don't set it too low.
I normally set them to 1 hour, but in your case you may want this a lot smaller, I wouldn't go with anything less than 10 minutes or so though, which worse case scenario still means a 10 minute outage. Make sure you set these on both sides also.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :