Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN3000/c877 problems with rekeying


I'm facing a strange issue in my lab environment (I have a L2L VPN between VPN300 Concentrator and c877 router). After getting the tunnel up and running, the rekeying succeeds 16 times, but the 17th time "tilts" the tunnel. According to "sh crypto engine connections active" and "sh crypto session" commands entered on router, the tunnel seemsto be OK, but no traffic traverses through the tunnel, (e.g. ping fails). The Concentrator log show this message: "Sending IKE Delete With Reason message: Maximum Configured SA Lifetime Exceeded."

I've tried to chance "crypto ipsec security-association lifetime seconds" value, but I still hit this issue as illustrated below.

When "crypto ipsec security-association lifetime seconds" value is set to:

-120, the connection tilts after a half an hour

-28800, the connection tilts after 5,33 days.

How can I change IKE sa lifetime value?Could this be some kind of counter issue? Has anyone come up against with similar issue?




Re: VPN3000/c877 problems with rekeying

All the SAs in every tunnel have a Maximum Lifetime. A little bit before this Lifetime is reached a new SA is created for it to be used after the old one expires. This was designed for security reasons. I think changing the lifetime setting on the peers to use 28800 seconds will ensure that your VPN tunnels stay up much longer. Also if your IPSEC peers support ISAKMP keepalives it would be a good idea to enable them.

New Member

Re: VPN3000/c877 problems with rekeying

The lifetime value of 28800 is the one we've used (uptime 5.3 days), I just tested the value of 120 to see if the tunnel tils regularly after 16xlifetime has passed. And it did fail after half an hour (matches with 16x120sec).

I'll have to check if the IPSEC peers have support for ISAKMP keepalives. Thanks for you advise...

CreatePlease login to create content