The tunnel is between an ASA running 7.2(3) and a PIX running 8.0(4)
The tunnel drops periodically and takes a while to reestablish. This is a common thing I've run into before when the key lifetimes don't match. Except in this case, they DO match; both the ISAKMP and IPSEC lifetimes. At least the configurations look like they do. BUT, which I do
sh crypto ipsec sa
to view the Security Associations, (0.5 seconds apart) I see that ASA: sa timing: remaining key lifetime (kB/sec): (2137416/14356) PIX: sa timing: remaining key lifetime (kB/sec): (1957473/14355) Which a simple glace will reveal, ARE NOT EVEN CLOSE! This is after forcing the tunnel to rebuild with
clear crypto ipsec sa
on both ends and trying halving the times from their previous values of 4608000 KB (4 MB) and 28800 seconds.
I figure that the PIX decides the key lifetime is up long before the ASA.
I am going to try increasing the kB lifetime dramatically and reduce the seconds lifetime...
Does anyone have any thoughts on what could cause this or how else to remedy it?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...