10-19-2002 05:46 PM - edited 02-20-2020 10:18 PM
Hi,
we have setup a PIX 506e to connect to an unknown Cisco concentrator in the US (managed by a third party). The VPN is up and working, however occasionally the VPN drops out and we get the following error:
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): red'd delete notify from ISAKMP
IPSEC(sa_find_prot): invalid protocol on SADB lookup
I'm assuming its a timeout error, so both the PIX and the concentrator have their lifetimes now set to 86400. When this occurs the only way to get the two to reconnect is to reload the PIX.
thoughts...
10-25-2002 07:41 AM
I am really not sure about this problem, but you could try these debug commands to get a better picture on this problem
* debug crypto engine - Shows the traffic that is encrypted.
* debug crypto ipsec - To see the IPSec negotiations of phase 2.
* debug crypto isakmp - To see the ISAKMP negotiations of phase 1.
10-27-2002 08:57 PM
yep, thats how I got the info out that was included in the original post.
I'm going to try to stagger the PIX so that it does a reset every half day, but I shouldnt have to do this.
I should be able to keep the connection permanantly up????
10-28-2002 05:27 PM
See if enabling ike keepalive would help. Set it on the group for the lan to lan on the concentrator, and enable isakmp keepalive on pix.
http://www.cisco.com/warp/customer/471/renegotiate.html
Regards,
10-29-2002 01:55 AM
i have set keepalive on the pix to be 180 seconds and it still dropped out overnight. As I dont control the VPN Concentrator (third party), what has to be set on this??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide