I have a LAN-to-LAN tunnel set up between two PIXs, one a 515E running 7.0.4 and the other a 520 running 6.3.3. Periodically the tunnel will drop for about 15-20 minutes and then re-establish again. I cannot see any reason in the ipsec logging information of why this is happening. It seems to be a normal part of the IPSEC l2l process and therefore is not logged. The last time this happened I got the following information while doing a sh crypto isakmp sa:
C515-A# sh crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: x.x.x.x
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG6
It seems as though there is a timer somewhere that is expiring that drops the session on one side. Then the session on the other side times out and the session gets re-established. isakmp keep alives are disabled on both sides but it still does not good. I have tried this with keep alives enabled and still the same result. If anyone has seen this before, I would appreciate a fix. Thanks.
ISAKMP and IPSec Security Associations have lieftime values. Generally, new SAs are formed before the old ones expire, thus ensuring the tunnel contunity. If these lifetime values are not configured correctly, then I guess there could be tunnel drops. I would suggest you to check both the lifetime values. Lifetimes can be either time in seconds or the amount of data in bytes.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...