I have a 3640 router with an IPSec tunnel to a PIX firewall. I have noticed that the router is constantly renegotiating its SAs with the PIX. It seems to redo the SAs every couple minutes even though I am using the default timeout of 3600 seconds which should be 1 full hour. The debugs say:
If I do a "show crypto ipsec sa detail" I see a lot of send errors due to no SA.
I believe that the reason that this is happening might have something to do with my routing setup. The router is doing per packet load balancing from two different IPs to the PIX's one IP. I have the crypto map applied to both interfaces.
I am not seeing any ill effects but I worry that the constant build-up and tear-down of SAs might have some detrimental effect that will surface later.
Re: router renegotiating SAs before lifetime exceeded
PIX actually tears down the tunnel prior to the rekey, so effectively the connection is not perfectly seamless. Prior to the lifetime expiring, the PIX will tear down the tunnel. The next interesting packet will then bring the tunnel back up. Apparently
the only way to create a true seamless connectionis to use manual keying, by which you use a manual key that never changes, and hence never has to be re-negotiated.
Since this is how the Pix works are you not experiencing packet drops??
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :