Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6069
Views
0
Helpful
2
Replies

Site2Site VPN disconnected due to "Max time exceeded"

hoffa2000
Level 3
Level 3

‎09-19-2011 11:39 PM - edited ‎03-11-2019 02:27 PM

Hi folks

This thursday afternoon our site2site VPN between two ASA5505 8.4.2 went down with the below message in the debug logs

%ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: LAN-to-LAN, Duration: 12h:00m:29s, Bytes xmt: 14234811, Bytes rcv: 49879386, Reason: Max time exceeded

%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xD98EB876) between y.y.y.y and x.x.x.x (user= x.x.x.x) has been deleted.

%ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x2591626C) between x.x.x.x and y.y.y.y (user= x.x.x.x) has been deleted.

%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x542772D2) between y.y.y.y and x.x.x.x (user= x.x.x.x) has been deleted.

%ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xF1EBD4F6) between x.x.x.x and y.y.y.y (user= x.x.x.x) has been deleted.

%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF8170227) between y.y.y.y and x.x.x.x (user= x.x.x.x) has been created.

%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF8170227) between y.y.y.y and x.x.x.x (user= x.x.x.x) has been deleted.

%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x8FBA02ED) between y.y.y.y and x.x.x.x (user= x.x.x.x) has been deleted.

%ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x6A743148) between x.x.x.x and y.y.y.y (user= x.x.x.x) has been deleted.

%ASA-7-710006: ESP request discarded from x.x.x.x to outside:y.y.y.y

%ASA-7-710006: ESP request discarded from x.x.x.x to outside:y.y.y.y

%ASA-7-710006: ESP request discarded from x.x.x.x to outside:y.y.y.y

%ASA-7-710006: ESP request discarded from x.x.x.x to outside:y.y.y.y

%ASA-7-710006: ESP request discarded from x.x.x.x to outside:y.y.y.y

IPs have been replaced with Xs and Ys.

So far I have been unable to find a reason why the tunnel would have a 12h connection limit. There is a constant stream of traffic on the tunnel so no idle there. Also the tunnel didn't reconnect by it self until three days later.

Anyone have any ideas why the tunnel went down in the first place and why it didn't reconnect?

Regards

Fredrik

Labels:
0 Helpful
2 Replies 2

lal.antony
Level 1
Level 1

‎09-19-2011 11:58 PM

Hi

I am guessing here as you haven't uploaded the current configuration, please check Crypto lifetime configurations. That might be the reason behind it disconnect.

Below link might help you to identify other time variables that are part of a tunnel configuration.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Hope that helps, please rate.

Cheers

Lal Antony

www.lalantony.com

0 Helpful

hoffa2000
Level 3
Level 3
In response to lal.antony

‎09-22-2011 11:01 PM

@Lal Antony: What do you mean by current configuration?

It happened again tonight, the tunnel went down almost exactly a week since last time. This time I logged in and did a clear isakmp sa and clear ispec sa and that brought the tunnel up again.

There is definitely some timer involved but I fail to see which and it's especially odd that the tunnel refuses to reinitialize by itself.

/Fredrik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card