Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Asa5520 Isakmp Rekeying SA

When the Isakmp Sa rekeying takes place, does the Asa drop all current connections? Do the connections get dropped when the Ipsec Sa lifetime expires? And, one more, is there a standard design philosoply regarding the Isakmp Sa lifetime and the Ipsec Sa lifetime? Hope not too may ?'s for one post. Thanks.

5 REPLIES
Anonymous
N/A

Re: Asa5520 Isakmp Rekeying SA

I don't think that during Isakmp sa rekeying the connections are dropped but during ipsec sa lifetime expiry I think that connections are dropped. Following links may help you

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ike.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

New Member

Re: Asa5520 Isakmp Rekeying SA

Thanks for the reply. I have both my isa and ipsec sa's set to timeout at 43200. I don't know whether using the same time is good or bad yet. Anyway, I have been telnet'd into these Asa's alot since I put them in and have seen several rekeys. I have not seen any disconnects at all during the rekeys. The rekeys don't wait until the time is up either. They usually happen somewhere around 5000-6000 seconds left. Thanks again.

Cisco Employee

Re: Asa5520 Isakmp Rekeying SA

Joel,

The re-key should happen around 75% of the lifetime specified. So, if it is set to one hour, then at around 45 minutes...the re-key happens.

Also, during the re-key the connections should not be dropped.

deb cry isa 190

deb cry ipsec 190

Enable those debugs on the ASA, and you will be able to find out what is happening during this time.

I will be able to take a look at the debugs and let you know what is happening.

Cheers

Gilbert

New Member

Re: Asa5520 Isakmp Rekeying SA

Gilbert, I figured out the issue. Exceed opens several tcp connects. Using a sniffer I was able to see where the Exceed idle tcp connects were getting dropped by the Asa and that would in turn take down the active tcp connect. I since extended the tcp idle timeout and the drops stopped. Working with TAC I received a Modular Policy Framework resolution to set tcp idle timeouts for individual tcp connects (vs the global timeout). Thanks for the assistance!

Cisco Employee

Re: Asa5520 Isakmp Rekeying SA

Joel,

Glad to know!! :)

Sharing your MPF in this case would help out others as well. :) Just a thought!!

Gilbert

1764
Views
0
Helpful
5
Replies
CreatePlease login to create content