I've got a PIX 515e running FOS 7.2(4), and there's currently 48 entries of one crypto map. Half of these crypto maps connect to Linksys BEFSX41 VPN end points, and most work really well. However, every once in a while, a random tunnel just simply drops (never the same one twice). My Syslog server shows, "Failure during phase 1 rekeying attempt due to collision," but I've checked the Advanced settings, and the renegotiate times are accurate.
On the PIX, my ISAKMP time setting is 86400. The crypto map time is 28800.
On the Linksys, Phase one is 86400, and phase two is 28800.
Both devices run DH group 2 and PFS with group 2.
Restarting the Linksys definitely does not work, but removing a line from the crypto map statement on my PIX and readding it gets the tunnel up again.
The log message is leading to some rekey issues with Phase 1. Since, you have already checked the P1 Lifetime Settings to be the same, I dont think this is a configuration issue. More to do with some kind of coding/interoperability between the Pix and linksys. Obviously, removing the crypto map and reapply it is not an ideal workaround. So, couple of things that come to mind.
1. Disable PFS and see if the behavior changes.
2. Clear the isakmp and ipsec for the specific peer that is having issue and if the tunnel comes back up.
3. The last option is, to do some proactive debugging for ISAKMP and IPSEC on the Pix and logging on the Linksys and open a TAC Service Request and troubleshoot the issue. The challenging part with this is, you dont know which Linksys is going have the problem.
Maybe, if you have some lab devices, lab testing might be an easier route. Just a thought.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...