After some initial troubleshooting it appears that my remote VPN device is "too busy" to service my phase 2 "rekeys" from my local VPN device. I see the following in my debug output ...
"Death by retransmission P2"
Does anybody know if I can configure my local Cisco VPN Device (IOS) to retransmit phase 2 "rekey" at something other than the default values. I need to know this ASAP so any help would be greatly appreciated.
If you are getting the debug message " death by retrans" this is usually bc your peer device is not properly configured. If you've already established that phase 1 completes go back through your configs and try different SA's and hashings for your phase 2 negotiations. It would help to know what your terminating the IOS tunnel to as well.
I should have mentioned that both phase 1 +2 have been established. This problem ONLY appears when my phase 2 needs to be renegotiated at the end of it's key lieftime. Meaning I am passing traffic over the tunnel when I see this message in the debug output. I checked the output because I suddenly lost data over my existing tunnel. The timestamp is an exact match to when the key lifetime was set to expire. Sniffer trace also confirms that the remote VPN device responds too late and the tunnel is brought down before it responds.
Terminating my tunnel to a Nortel Contivity Extranet Switch.
Heh you never mentioned you were trying to connect the tunnel to a different vendor platform. You can do one of 2 things change the Nortel device settings to match the Cisco default rekey intervals or vica versa heres how to change the cisco settings on IOS not sure how on nortel.
The Cisco default IKE lifetime is 86400 seconds (=1440 minutes), and it can be modified by the following commands:
crypto isakmp policy #
The configurable Cisco IKE lifetime is from 60-86400 seconds.
The Cisco default IPSec lifetime is 3600 seconds, and it can be modified by the following command:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...