In attempting to set up encryption between a 2520 and a 4500, I am unable to keep an encryption connection active for more than 20 min.

Initially, I was only able to keep the connection active for closer to 10 min.

When the encryption connection fails, I am unable to email or ftp across the T1 link.

The 4500 shows that there is a connection in place with a proper Connection ID. The 2500 indicates that it is attempting to renegotiate a connection, showing negative numbers.

I am using IOS version 11.2 on both routers with the same feature set.

Both routers share the same time and time zone. Neither pregenerates keys. There's no other connetction between the two routers.

In order to get the link active again, I have to delete the crypto maps from the interface, delete the crypto maps globally, create new ones with a different name,clear any exiting crypto map ids and apply the new maps to the T1 interfaces.

From the Routers when failed................

2520#sho crypto conn

Pending Connection Table

PE UPE Timestamp Conn_id

10.0.0.0 10.0.0.0 1084215551 -210

Connection Table

PE UPE Conn_id New_id Alg Time

10.0.0.0 10.0.0.0 -210 63 0 0

flags:XCHG_KEYS ACL: 129

2520#sho crypto eng conn a

ID Interface IP-Address State Algorithm Encrypt Decrypt

-----------------------------

4500#sho crypto conn

Connection Table

PE UPE Conn_id New_id Alg Time

10.0.0.0 10.0.0.0 10 0 11 47825

flags:TIME_KEYS

Both routes have/use the same access list ...

access-list 129 deny tcp 10.0.0.0 0.255.255.255 eq telnet 10.0.0.0 0.255.255.255

access-list 129 deny tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq telnet

access-list 129 permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

access-list 129 permit udp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

Any ideas how I can get this to work?

Thanks,

Mark