08-25-2006 07:05 AM
Hello All.
Be grateful if you can shed some light on this wierd problem.
I have 2 pix 501 firewalls on seperate sites connecting back to a central Cisco VPN3020 vpn concentrator.
The 2 VPN's are established without any problems but every 6hrs 48mins the VPN's drop, stay down for 1hour and are then re-established.
The only way we can get round this currently is to reboot the Cisco PIX 501 firewalls. When this is performed the vpn is immediately established but again after 6hrs 48mins the vpn tunnel is dropped.
Any help will be gratefully received.
08-25-2006 10:33 AM
is this a site to site or ezvpn tunnel?
need some logs from 3020 to know as to why is the tunnel dropping.
can check the phase 1 and phase 2 lifetimes, can enable isakmp keepalives on both pix and 3020.
08-25-2006 03:06 PM
The tunnel will drop when the SA lifetimes expire if there is no traffic, else it should stay up.
08-26-2006 01:21 PM
Check these 2 values in your Concentrator under: Configuration | User Management | Base Group (or whatever Group is relevant):
Maximum Connect time = 0
Reauthentication on Rekey = Unchecked
08-27-2006 06:31 PM
I .. I think your phase two's rekying timing out is causing the issue as per the below example .. See the message "Starting P2 Rekey timer to expire in 24480 seconds" which equals to 6 hrs 48 minutes.
Security negotiation complete for LAN-to-LAN Group (40.40.40.2)
Responder, Inbound SPI = 0xf629186e, Outbound SPI = 0x524e01e4
May 25 12:49:40 [IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x524e01e4
May 25 12:49:40 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xf629186e
May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Starting P2 Rekey timer to expire in 24480 seconds
May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
PHASE 2 COMPLETED (msgid=0529ac6b)
Make sure you have the same value in both ends and also it is advisable to configure the same value for phase 1 and two
I hope it helps .. please rate it if it does !!!
08-28-2006 11:39 PM
Hi.
Thanks for the response.
The max connect time is set to zero.
The Reauthentication on Rekey is unchecked.
Any other idea's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide