Re: IPSEC VPN tunnel only works for 60 minutes

Andrew Richardson · ‎11-01-2010

Hi,

I have a Cisco 2811 verwion 15.1(2)T2 and a PIX501 version 6.3(3). I have configured an IPSEC VPN betwene the devices over the internet and all works well for the duration of the ESP SA lifetime (3600 seconds) and then I cannot get any traffic over the connection.

I have checked CCO for bugs but have yet to find any.

Any assistance would be appreciated.

Thanks.

Regards,

Andrew

Praveena Shanubhogue · ‎11-01-2010

HI Andrew,

Looks like Phase-2 rekey is not going well.

Does the tunnel still stay up and not pass traffic? OR

Does the Tunnel go down and we need to rebuild it after sometime?

Post the following outputs:

show crypto isakmp sa detail (from both PIX and Router)

show crypto ipsec sa peer (from the router)

show crypto ipsec sa peer (from the pix)

when this happens again, could you post the debugs from both the router and the pix (debug crypto isakmp and debug crypto ipsec).

To recreate the issue, can you reduce the ESP lifetime to say 10 minutes (600 seconds) and let me know if the tunnel stops working in 10 minutes.

Regards,

Praveen

Andrew Richardson · ‎11-01-2010

Hi Praveen,

My thoughts exactly regarding Phase 2 rekey.

The tunnel stays up I can see packets being encaps/encrypt'ed at both ends but no decrypt happening.

I will post the show and debug commands a little later as am about to head out.

Also, I have done some checking and it says that by default the SA lifetime on a pix running 6.3 software is 28800 and a router running IOS is 3600, is this causing an issue?

Thanks.

Praveena Shanubhogue · ‎11-01-2010

Hi Andrew,

Yes, Phase 2 SA lifetime is 28800 by default on PIX.

NOw the rekey won't be smooth because in an hour after the Tunnel comes up Router thinks it should rekey but PIX doesn't think so.

First things first, let's match the Phase 2 SA lifetime values. Make it 28800 on Router too.

Bounce the tunnel.

And let us know how it goes.

Regards,

Praveen