02-12-2014 05:59 PM
I have an office that is having serious issues with the rekeying of their VPN tunnel. They are Windows 7 users using the built in VPN on their laptops. They are connecting to my ASA 5505 8.0(4)8. Their VPN drops as soon as the SA re-key is trigured. It's currently set to 3600 seconds (1 hour) and I would like to bump that up to 36000 seconds (10 hours). I have tried to change the lifetime everywhere, but when they log in, it still shows 3600 seconds (see below in red) and the rekey happens as per the Cisco rules (The peers negotiate a new SA when about 5 to 15 percent of the lifetime of the existing SA remains). Watching the log, as soon as the re-key is attempted, they are kicked off. Other locations have no issue with the rekey. So to get around this issue, I would like to bump it up to 10 hours. Please help I can send you any other config stuff you want if that will helps.
Parts of my Running Config:
crypto ipsec security-association lifetime seconds 36000
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 65535 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 65535 set security-association lifetime seconds 36000
crypto dynamic-map outside_dyn_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 36000
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 36000
crypto isakmp nat-traversal 300
What the session shows - see RED text below:
Crypto map tag: outside_dyn_map, seq num: 2, local addr: 69.14x.xx.xx
local ident (addr/mask/prot/port): (69.14x.xx.xx/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (69.14x.xx.xx/255.255.255.255/17/1701)
current_peer: 69.14x.xx.xx, username: CJohnson
dynamic allocated peer ip: 192.168.0.143
#pkts encaps: 3443, #pkts encrypt: 3443, #pkts digest: 3443
#pkts decaps: 3258, #pkts decrypt: 3258, #pkts verify: 3258
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3443, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 69.14x.xx.xx, remote crypto endpt.: 69.14x.xx.xx
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 09570E7C
inbound esp sas:
spi: 0x52441A7F (1380194943)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Transport, }
slot: 0, conn_id: 73728, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (210915/3211)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x09570E7C (156700284)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Transport, }
slot: 0, conn_id: 73728, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (kB/sec): (209749/3211)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
07-01-2014 11:16 AM
Got the same issue. Anybody has an idea??
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: