Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

router renegotiating SAs before lifetime exceeded

I have a 3640 router with an IPSec tunnel to a PIX firewall. I have noticed that the router is constantly renegotiating its SAs with the PIX. It seems to redo the SAs every couple minutes even though I am using the default timeout of 3600 seconds which should be 1 full hour. The debugs say:

0:28:01: ISAKMP (0:2): deleting node 396176214 error FALSE reason ""

If I do a "show crypto ipsec sa detail" I see a lot of send errors due to no SA.

I believe that the reason that this is happening might have something to do with my routing setup. The router is doing per packet load balancing from two different IPs to the PIX's one IP. I have the crypto map applied to both interfaces.

I am not seeing any ill effects but I worry that the constant build-up and tear-down of SAs might have some detrimental effect that will surface later.

Any comments and/or suggestions for this?




Re: router renegotiating SAs before lifetime exceeded

PIX actually tears down the tunnel prior to the rekey, so effectively the connection is not perfectly seamless. Prior to the lifetime expiring, the PIX will tear down the tunnel. The next interesting packet will then bring the tunnel back up. Apparently

the only way to create a true seamless connectionis to use manual keying, by which you use a manual key that never changes, and hence never has to be re-negotiated.

Since this is how the Pix works are you not experiencing packet drops??

CreatePlease to create content