SA time lifetime resets VPN tunnel between ASA and Juniper Netscreen
I have a L2L VPN tunnel from our ASA to a customer's Juniper Netscreen. The tunnel is up but whenever the SA time lifetime is reached, the tunnel resets itself (it drops the tunnel). It is able to re-establish itself automatically, but the customer is alerted by their monitoring processes whenever this happens.
The tunnel should remain on even when the SA lifetime is reached - especially since it is able to re-establish it. I've searched these forums and haven't seen a problem like this. We're running Cisco Adaptive Security Appliance Software Version 7.0(7).
We used to use VPN Concentrators but we have switched to ASA and I'm not that familiar so if someone has some troubleshooting steps, I'd appreciate it.
Re: SA time lifetime resets VPN tunnel between ASA and Juniper N
We are receiving "Initial-Contact" Notifications at the 8 hour expiration of the lifetime value. This is why the sessions get dropped. This is not the normal Phase1 re-key process. On a normal Phase1 re-key sessions will be maintained.
This is not seen on Netscreen to Netscreen VPN tunnels; nor is it seen on our tunnels to Cisco PIX firewalls at other locations.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...