Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
0
Helpful
5
Replies

PIX501 to VPN3020 Tunnel drops every 6hrs 48mins

cjitnet
Level 1
Level 1

‎08-25-2006 07:05 AM

Hello All.

Be grateful if you can shed some light on this wierd problem.

I have 2 pix 501 firewalls on seperate sites connecting back to a central Cisco VPN3020 vpn concentrator.

The 2 VPN's are established without any problems but every 6hrs 48mins the VPN's drop, stay down for 1hour and are then re-established.

The only way we can get round this currently is to reboot the Cisco PIX 501 firewalls. When this is performed the vpn is immediately established but again after 6hrs 48mins the vpn tunnel is dropped.

Any help will be gratefully received.

Labels:
0 Helpful
5 Replies 5

puagarwa
Level 1
Level 1

‎08-25-2006 10:33 AM

is this a site to site or ezvpn tunnel?

need some logs from 3020 to know as to why is the tunnel dropping.

can check the phase 1 and phase 2 lifetimes, can enable isakmp keepalives on both pix and 3020.

0 Helpful

grant.maynard
Level 4
Level 4
In response to puagarwa

‎08-25-2006 03:06 PM

The tunnel will drop when the SA lifetimes expire if there is no traffic, else it should stay up.

0 Helpful

armstrongi
Level 4
Level 4

‎08-26-2006 01:21 PM

Check these 2 values in your Concentrator under: Configuration | User Management | Base Group (or whatever Group is relevant):

Maximum Connect time = 0

Reauthentication on Rekey = Unchecked

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to armstrongi

‎08-27-2006 06:31 PM

I .. I think your phase two's rekying timing out is causing the issue as per the below example .. See the message "Starting P2 Rekey timer to expire in 24480 seconds" which equals to 6 hrs 48 minutes.

Security negotiation complete for LAN-to-LAN Group (40.40.40.2)

Responder, Inbound SPI = 0xf629186e, Outbound SPI = 0x524e01e4

May 25 12:49:40 [IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x524e01e4

May 25 12:49:40 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xf629186e

May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,

Starting P2 Rekey timer to expire in 24480 seconds

May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,

PHASE 2 COMPLETED (msgid=0529ac6b)

Make sure you have the same value in both ends and also it is advisable to configure the same value for phase 1 and two

I hope it helps .. please rate it if it does !!!

0 Helpful

cjitnet
Level 1
Level 1
In response to armstrongi

‎08-28-2006 11:39 PM

Hi.

Thanks for the response.

The max connect time is set to zero.

The Reauthentication on Rekey is unchecked.

Any other idea's.

0 Helpful
Customers Also Viewed These Support Documents