https://community.cisco.com/t5/network-security/vpn-tunnel-instability/m-p/1494790#M631835 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>It could be that the fortigate is maintainig the old IPSec SAs after the lifetime expiration and preventing the PIX from renegotiating new IPSec SAs. The 86400 sec lifetime seems high for phase 2. You can test lowering the IPSec SA lifetime value to 3600 seconds to see if it helps with the stability. A more frequent renegotation of IPSec SAs may help prevent this situation from happening.</P><P></P><P>crypto ipsec security-association lifetime</P><P><SPAN style="color: #0000ff; text-decoration: underline; "><A href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458">http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458</A></SPAN><A href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458">http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458</A></P></BODY></HTML> Sat, 21 Aug 2010 01:00:11 GMT witsang 2010-08-21T01:00:11Z https://community.cisco.com/t5/network-security/vpn-tunnel-instability/m-p/1494789#M631834 <P>Hello Experts,</P><P>I am facing some issues with vpn tunnel.I have formed the vpn tunnel between cisco pix (ver 7.2) and fortigate(othervendor).</P><P>Once i initiate tunnel from fortigate i can see ike phase up with ipsec up</P><P>for eg 1 IKE and 5 IPSEC and all subnets will be reachable at that moment aftersome time few subnets go unreachable.When i check pix i can see IKE phase will be fine but 2 IPSEC up. what might be the reason for this instability?</P><P>i set 86400 sec for both phase 1 and phase 2 on both devices</P><P>Thanks,</P><P>KG</P> Mon, 11 Mar 2019 18:26:24 GMT https://community.cisco.com/t5/network-security/vpn-tunnel-instability/m-p/1494789#M631834 pramod 2019-03-11T18:26:24Z https://community.cisco.com/t5/network-security/vpn-tunnel-instability/m-p/1494790#M631835 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>It could be that the fortigate is maintainig the old IPSec SAs after the lifetime expiration and preventing the PIX from renegotiating new IPSec SAs. The 86400 sec lifetime seems high for phase 2. You can test lowering the IPSec SA lifetime value to 3600 seconds to see if it helps with the stability. A more frequent renegotation of IPSec SAs may help prevent this situation from happening.</P><P></P><P>crypto ipsec security-association lifetime</P><P><SPAN style="color: #0000ff; text-decoration: underline; "><A href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458">http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458</A></SPAN><A href="http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458">http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2064458</A></P></BODY></HTML> Sat, 21 Aug 2010 01:00:11 GMT https://community.cisco.com/t5/network-security/vpn-tunnel-instability/m-p/1494790#M631835 witsang 2010-08-21T01:00:11Z