Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

The significance of the IPSec SA Max time exceeded error message

Core issue

IPSec sessions drop randomly, and the IPSec SA Max time exceeded error message is received.

Resolution

A security association (SA) is a set of policy and key(s) used to protect  information. The Internet Security Association and Key Management Protocol (ISAKMP) SA is the shared policy and key(s) used by the  negotiating peers in this protocol to protect their communication.

Whenever a VPN tunnel is established, both the devices agree on Internet Key Exchange (IKE)  and IPSec lifetime values, after which they renegotiate the key for  encryption.

If these devices have different timeout values set, during negotiation, the one with minimum value is set for the proceeding sessions.

The renegotiation for the encryption key begins 30 seconds before the  timeout value. If at this point, traffic is still passing through the tunnel,  the IPSec SA Max time exceeded error message appears to signal that the tunnel will renegotiate the key. The  tunnel does not come down at this point, and only a minor traffic delay is  experienced for a moment. This error message points to the failure of  renegotiation of the encryption keys.

It is always a good practice to configure same corresponding IKE and IPSec  timeout values on both the ends. For more information about this issue, refer to IPSec Network Security and RFC 2408.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:31 PM
Updated by:
 
Labels (1)
Comments
New Member

When does the message occur

Either

If at this point, traffic is still passing through the tunnel,  the IPSec SA Max time exceeded error message appears to signal that the tunnel will renegotiate the key.

Or 

This error message points to the failure of  renegotiation of the encryption keys.

Is this message a normal or does this mean there is a problem ?

New Member

The reason of  this message -  vpn-session-timeot is expired. It is NOT isakmp or ipsec sa expiration.

It could be set in the group policy POLICY-NAME attributes.

Hope this will help somebody.