I have a 3640 router with an IPSec tunnel to a PIX firewall. I have noticed that the router is constantly renegotiating its SAs with the PIX. It seems to redo the SAs every couple minutes even though I am using the default timeout of 3600 seconds which should be 1 full hour. The debugs say:
0:28:01: ISAKMP (0:2): deleting node 396176214 error FALSE reason ""
If I do a "show crypto ipsec sa detail" I see a lot of send errors due to no SA.
I believe that the reason that this is happening might have something to do with my routing setup. The router is doing per packet load balancing from two different IPs to the PIX's one IP. I have the crypto map applied to both interfaces.
I am not seeing any ill effects but I worry that the constant build-up and tear-down of SAs might have some detrimental effect that will surface later.
Any comments and/or suggestions for this?
Thanks,
Diego