Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
233
Views
0
Helpful
1
Replies

router renegotiating SAs before lifetime exceeded

tato386
Level 6
Level 6

‎05-07-2003 02:53 PM - edited ‎03-09-2019 03:12 AM

I have a 3640 router with an IPSec tunnel to a PIX firewall. I have noticed that the router is constantly renegotiating its SAs with the PIX. It seems to redo the SAs every couple minutes even though I am using the default timeout of 3600 seconds which should be 1 full hour. The debugs say:

0:28:01: ISAKMP (0:2): deleting node 396176214 error FALSE reason ""

If I do a "show crypto ipsec sa detail" I see a lot of send errors due to no SA.

I believe that the reason that this is happening might have something to do with my routing setup. The router is doing per packet load balancing from two different IPs to the PIX's one IP. I have the crypto map applied to both interfaces.

I am not seeing any ill effects but I worry that the constant build-up and tear-down of SAs might have some detrimental effect that will surface later.

Any comments and/or suggestions for this?

Thanks,

Diego

Labels:
0 Helpful
1 Reply 1

hadbou
Level 5
Level 5

‎05-13-2003 10:52 AM

PIX actually tears down the tunnel prior to the rekey, so effectively the connection is not perfectly seamless. Prior to the lifetime expiring, the PIX will tear down the tunnel. The next interesting packet will then bring the tunnel back up. Apparently

the only way to create a true seamless connectionis to use manual keying, by which you use a manual key that never changes, and hence never has to be re-negotiated.

Since this is how the Pix works are you not experiencing packet drops??

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents