Re: PIX to PIX l2l VPN randomly drops

rfranzke · ‎11-21-2005

I have a LAN-to-LAN tunnel set up between two PIXs, one a 515E running 7.0.4 and the other a 520 running 6.3.3. Periodically the tunnel will drop for about 15-20 minutes and then re-establish again. I cannot see any reason in the ipsec logging information of why this is happening. It seems to be a normal part of the IPSEC l2l process and therefore is not logged. The last time this happened I got the following information while doing a sh crypto isakmp sa:

C515-A# sh crypto isakmp sa

Active SA: 2

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1 IKE Peer: x.x.x.x

Type : user Role : responder

Rekey : no State : AM_ACTIVE

2 IKE Peer: x.x.x.x

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG6

It seems as though there is a timer somewhere that is expiring that drops the session on one side. Then the session on the other side times out and the session gets re-established. isakmp keep alives are disabled on both sides but it still does not good. I have tried this with keep alives enabled and still the same result. If anyone has seen this before, I would appreciate a fix. Thanks.

vkapoor5 · ‎11-25-2005

ISAKMP and IPSec Security Associations have lieftime values. Generally, new SAs are formed before the old ones expire, thus ensuring the tunnel contunity. If these lifetime values are not configured correctly, then I guess there could be tunnel drops. I would suggest you to check both the lifetime values. Lifetimes can be either time in seconds or the amount of data in bytes.