I'm facing a strange issue in my lab environment (I have a L2L VPN between VPN300 Concentrator and c877 router). After getting the tunnel up and running, the rekeying succeeds 16 times, but the 17th time "tilts" the tunnel. According to "sh crypto engine connections active" and "sh crypto session" commands entered on router, the tunnel seemsto be OK, but no traffic traverses through the tunnel, (e.g. ping fails). The Concentrator log show this message: "Sending IKE Delete With Reason message: Maximum Configured SA Lifetime Exceeded."
I've tried to chance "crypto ipsec security-association lifetime seconds" value, but I still hit this issue as illustrated below.
When "crypto ipsec security-association lifetime seconds" value is set to:
-120, the connection tilts after a half an hour
-28800, the connection tilts after 5,33 days.
How can I change IKE sa lifetime value?Could this be some kind of counter issue? Has anyone come up against with similar issue?
All the SAs in every tunnel have a Maximum Lifetime. A little bit before this Lifetime is reached a new SA is created for it to be used after the old one expires. This was designed for security reasons. I think changing the lifetime setting on the peers to use 28800 seconds will ensure that your VPN tunnels stay up much longer. Also if your IPSEC peers support ISAKMP keepalives it would be a good idea to enable them.
The lifetime value of 28800 is the one we've used (uptime 5.3 days), I just tested the value of 120 to see if the tunnel tils regularly after 16xlifetime has passed. And it did fail after half an hour (matches with 16x120sec).
I'll have to check if the IPSEC peers have support for ISAKMP keepalives. Thanks for you advise...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :