Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN timeout issue

Hi,

I have a number of Avaya VPN phone (5610sw) - that are connected to an IPO500 via a Cisco ASA5510.

Everything works, except that all my phones reboot after exactly 4 days. I cannot see where this timeout value is applied..  When booting, I see the following in the debug log:

I've changed my office IP address to :12.34.56.78

I've changed my ASA IP to: 99.99.99.99

4|Nov 22 2010|11:54:11|113019|||||Group = cirquefr, Username = vpnXXXXX, IP = FrOfficeOutside, Session disconnected. Session Type: IPsecOverNatT, Duration: 4d 0h:00m:41s, Bytes xmt: 2798325, Bytes rcv: 1798611, Reason: Phase 2 Mismatch

6|Nov 22 2010|11:54:11|602304|||||IPSEC: An outbound remote access SA (SPI= 0xC3B5C699) between 99.99.99.99 and FrOfficeOutside (user= vpnXXXXX) has been deleted.

6|Nov 22 2010|11:54:11|602304|||||IPSEC: An inbound remote access SA (SPI= 0xECD12D85) between 99.99.99.99 and FrOfficeOutside (user= vpnXXXXX) has been deleted.

7|Nov 22 2010|11:54:11|713906|||||Group = cirquefr, Username = vpnXXXXX, IP = 12.34.56.78, Active unit receives a centry expired event for remote peer FrOfficeOutside.

7|Nov 22 2010|11:54:05|710007|FrOfficeOutside|1038|99.99.99.99|4500|NAT-T keepalive received from FrOfficeOutside/1038 to outside:99.99.99.99/4500

7|Nov 22 2010|11:53:49|710007|FrOfficeOutside|1045|99.99.99.99|4500|NAT-T keepalive received from FrOfficeOutside/1045 to outside:99.99.99.99/4500

7|Nov 22 2010|11:53:49|710007|FrOfficeOutside|1547|99.99.99.99|4500|NAT-T keepalive received from FrOfficeOutside/1547 to outside:99.99.99.99/4500

7|Nov 22 2010|11:53:45|713906|||||Group = cirquefr, Username = vpnXXXXX, IP = 12.34.56.78, Active unit process rekey delete event for remote peer FrOfficeOutside.

Any help would be much appreciated!

Thanks,

Mike

1 REPLY
Super Bronze

Re: VPN timeout issue

You would need to check if the SA lifetime for phase 2 matches at both end, and which lifetime it actually uses (there are 2 types of lifetime, ie: time base and size base). And if you have keepalives configured, you might want to disable it since the 2 ends of the VPN tunnel is different vendors, and they would not understand each other's keepalives.

952
Views
0
Helpful
1
Replies