Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX to PIX l2l VPN randomly drops

I have a LAN-to-LAN tunnel set up between two PIXs, one a 515E running 7.0.4 and the other a 520 running 6.3.3. Periodically the tunnel will drop for about 15-20 minutes and then re-establish again. I cannot see any reason in the ipsec logging information of why this is happening. It seems to be a normal part of the IPSEC l2l process and therefore is not logged. The last time this happened I got the following information while doing a sh crypto isakmp sa:

C515-A# sh crypto isakmp sa

Active SA: 2

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1 IKE Peer: x.x.x.x

Type : user Role : responder

Rekey : no State : AM_ACTIVE

2 IKE Peer: x.x.x.x

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG6

It seems as though there is a timer somewhere that is expiring that drops the session on one side. Then the session on the other side times out and the session gets re-established. isakmp keep alives are disabled on both sides but it still does not good. I have tried this with keep alives enabled and still the same result. If anyone has seen this before, I would appreciate a fix. Thanks.

1 REPLY
Bronze

Re: PIX to PIX l2l VPN randomly drops

ISAKMP and IPSec Security Associations have lieftime values. Generally, new SAs are formed before the old ones expire, thus ensuring the tunnel contunity. If these lifetime values are not configured correctly, then I guess there could be tunnel drops. I would suggest you to check both the lifetime values. Lifetimes can be either time in seconds or the amount of data in bytes.

241
Views
0
Helpful
1
Replies