2 site-to-site VPNs. The first one is established between a 2801 and a 1841, both using Advanced IP Services (versions right below). The second one is established between the same previous 2801 and a PIX 515E.
The VPN between the two routers is ok, but that one between the 2801 and the PIX is frequently hanging up. To put it up, I have to remove the crypto map from the router's outside interface and put it again.
What could be the cause of this??? These are the versions of softwares running on my boxes:
The problem that you are facing could be caused by the IPSEC SA lifetimes. The default SA lifetime on the router is 3600 seconds (1 hour) and the default IPSEC SA lifetime on the PIX is 28800 seconds (8 hours). So please make sure that they are the same on othe the boxes. To confirm you can use the following command on the router:
show crypto ipsec security-association lifetime
When you type 'sh run cry map' on the PIX and don't see any specific lifetime configured then it is indicative that we are using the default lifetime. You can either configure 28800 on the router for the specific tunnel under the crypto map or 3600 on the PIX for the specific tunnel under the crypto map.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...