09-21-2011 04:00 AM - edited 02-21-2020 10:26 AM
Hi,
We have configured an 2801 to aggregate some VPN clients. The problem is that between 20 and 50 minutes it asks for re-authentication even though the connection is not idle. Is there a timer that creates this problem?
Below the applied configuration :
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group GROUP
key KEY
dns x.x.x.x
domain DOMAIN
pool DIAL-POOL
acl vpn-traffic
netmask 255.255.255.0
!
!
crypto ipsec transform-set SET esp-aes esp-sha-hmac
!
!
crypto dynamic-map DYN-MAP 1
set transform-set SET
reverse-route
!
!
crypto map DIAL-MAP client authentication list default
crypto map DIAL-MAP isakmp authorization list default
crypto map DIAL-MAP client configuration address respond
crypto map DIAL-MAP 65535 ipsec-isakmp dynamic DYN-MAP
Thank you in advance
10-02-2011 02:22 AM
Hi V,
note that your ISAKMP policy has "lifetime 3600" which means your ISAKMP SA will only be valid for one hour, so the client will initiate a new ISAKMP (phase 1) session a 'short' time before the current one expires. How much time depends on some differnet factors but around 40-50 mins seems quite normal, 20 minutes is strange.
Usually there is no need to set the isakmp (phase 1) lifetime so low - 8h or even 24h should be ok. Note that you still have a phase 2 rekey every hour (with default settings) so the ISAKMP keying material (sort of the "master key") will change only once every 8 or 24h but the actual encryption key will still change every hour (or rather, every 48mins or so).
If you still see any behavior that is not consistent with this explanation (e.g. re-auth after 20 mins, or the time between re-auths doesnt change when you increase the lifetime) then have a look at the client logs to see if there is a clue as to why it is doing that. Increase the log level detail as follows:
- close the client
- edit the vpnclient.ini file
- change all LogLevel entries to 15
- save the file
- open the client again and don't touch the log levels
--
If this post answers your question, please click the "Correct Answer" button
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide