Hi to all,

I have problems with one VPN site to site. The problem is the follow:

5 Nov 23 2010 08:28:47 713041 Group = X.X.X.X, IP = X.X.X.X, IKE Initiator: Rekeying Phase 2, Intf outside, IKE Peer X.X.X.X  local Proxy Address [LAN], remote Proxy Address [LAN],  Crypto map (outside_map)

6 Nov 23 2010 08:29:17 602304 IPSEC: An inbound LAN-to-LAN SA (SPI= 0x6C271CC8) between Y.Y.Y.Y and X.X.X.X (user= X.X.X.X) has been deleted.

6 Nov 23 2010 08:29:17 602304 IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA59BE8CD) between Y.Y.Y.Y and X.X.X.X (user= X.X.X.X) has been deleted.

3 Nov 23 2010 08:29:19 713902 Group = X.X.X.X, IP = X.X.X.X, QM FSM error (P2 struct &0x62ab4f0, mess id 0x4cf32811)!

1 Nov 23 2010 08:29:19 713900 Group = X.X.X.X, IP = X.X.X.X, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

4 Nov 23 2010 08:29:19 113019 Group = X.X.X.X, Username = X.X.X.X, IP = X.X.X.X, Session disconnected. Session Type: IPsec, Duration: 0h:51m:32s, Bytes xmt: 60486, Bytes rcv: 70509, Reason: Phase 2 Error

5 Nov 23 2010 08:37:29 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:31 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:34 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:39 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:47 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:48 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

5 Nov 23 2010 08:37:59 713904 IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

4 Nov 23 2010 08:38:00 713903 Group = X.X.X.X, IP = X.X.X.X, Freeing previously allocated memory for authorization-dn-attributes

6 Nov 23 2010 08:38:00 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = X.X.X.X

5 Nov 23 2010 08:38:00 713119 Group = X.X.X.X, IP = X.X.X.X, PHASE 1 COMPLETED

3 Nov 23 2010 08:38:00 713122 IP = X.X.X.X, Keep-alives configured on but peer does not support keep-alives (type = None)

5 Nov 23 2010 08:38:00 713049 Group = X.X.X.X, IP = X.X.X.X, Security negotiation complete for LAN-to-LAN Group (X.X.X.X)  Responder, Inbound SPI = 0x7302c7aa, Outbound SPI = 0x804d8c31

6 Nov 23 2010 08:38:00 602303 IPSEC: An outbound LAN-to-LAN SA (SPI= 0x804D8C31) between Y.Y.Y.Y and X.X.X.X (user= X.X.X.X) has been created.

6 Nov 23 2010 08:38:00 602303 IPSEC: An inbound LAN-to-LAN SA (SPI= 0x7302C7AA) between Y.Y.Y.Y and X.X.X.X (user= X.X.X.X) has been created.

5 Nov 23 2010 08:38:00 713120 Group = X.X.X.X, IP = X.X.X.X, PHASE 2 COMPLETED (msgid=590161c5)

This behaviour is ciclic. The tunnel is established and traffic flow normally but after 50 minutes (when the rekeying begin) the tunnel goes down.

I guess the problem is that I mark in bold. I don't understand why both SPI are deleted just after begin the rekeying phase 2.

The config is the follow:

access-list outside_1_cryptomap extended permit ip lan lan-mask remote-lan remote-lan-mask

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 194.224.219.114

crypto map outside_map 1 set transform-set ESP-AES-192-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 set nat-t-disable

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 30

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key

Thank you in advance for your help