Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
The significance of the IPSec SA Max time exceeded error message
IPSec sessions drop randomly, and the IPSec SA Max time exceeded error message is received.
A security association (SA) is a set of policy and key(s) used to protect information. The Internet Security Association and Key Management Protocol (ISAKMP) SA is the shared policy and key(s) used by the negotiating peers in this protocol to protect their communication.
Whenever a VPN tunnel is established, both the devices agree on Internet Key Exchange (IKE) and IPSec lifetime values, after which they renegotiate the key for encryption.
If these devices have different timeout values set, during negotiation, the one with minimum value is set for the proceeding sessions.
The renegotiation for the encryption key begins 30 seconds before the timeout value. If at this point, traffic is still passing through the tunnel, the IPSec SA Max time exceeded error message appears to signal that the tunnel will renegotiate the key. The tunnel does not come down at this point, and only a minor traffic delay is experienced for a moment. This error message points to the failure of renegotiation of the encryption keys.
It is always a good practice to configure same corresponding IKE and IPSec timeout values on both the ends. For more information about this issue, refer to IPSec Network Security and RFC 2408.