Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

"Death by retransmission P2"

After some initial troubleshooting it appears that my remote VPN device is "too busy" to service my phase 2 "rekeys" from my local VPN device. I see the following in my debug output ...

"Death by retransmission P2"

Does anybody know if I can configure my local Cisco VPN Device (IOS) to retransmit phase 2 "rekey" at something other than the default values. I need to know this ASAP so any help would be greatly appreciated.

  • Other Security Subjects
3 REPLIES
New Member

Re: "Death by retransmission P2"

If you are getting the debug message " death by retrans" this is usually bc your peer device is not properly configured. If you've already established that phase 1 completes go back through your configs and try different SA's and hashings for your phase 2 negotiations. It would help to know what your terminating the IOS tunnel to as well.

robert_watson@ieee.org

CCNP/CCDA

New Member

Re: "Death by retransmission P2"

I should have mentioned that both phase 1 +2 have been established. This problem ONLY appears when my phase 2 needs to be renegotiated at the end of it's key lieftime. Meaning I am passing traffic over the tunnel when I see this message in the debug output. I checked the output because I suddenly lost data over my existing tunnel. The timestamp is an exact match to when the key lifetime was set to expire. Sniffer trace also confirms that the remote VPN device responds too late and the tunnel is brought down before it responds.

Terminating my tunnel to a Nortel Contivity Extranet Switch.

New Member

Re: "Death by retransmission P2"

Heh you never mentioned you were trying to connect the tunnel to a different vendor platform. You can do one of 2 things change the Nortel device settings to match the Cisco default rekey intervals or vica versa heres how to change the cisco settings on IOS not sure how on nortel.

The Cisco default IKE lifetime is 86400 seconds (=1440 minutes), and it can be modified by the following commands:

crypto isakmp policy #

lifetime #

The configurable Cisco IKE lifetime is from 60-86400 seconds.

The Cisco default IPSec lifetime is 3600 seconds, and it can be modified by the following command:

crypto ipsec security-association lifetime seconds #

The configurable Cisco IPSec lifetime is from 120-86400 seconds

2293
Views
0
Helpful
3
Replies