Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4136
Views
1
Helpful
3
Comments

The significance of the IPSec SA Max time exceeded error message

TCC_2
Level 10
Level 10

on ‎06-22-2009 05:31 PM

Core issue

IPSec sessions drop randomly, and the IPSec SA Max time exceeded error message is received.

Resolution

A security association (SA) is a set of policy and key(s) used to protect  information. The Internet Security Association and Key Management Protocol (ISAKMP) SA is the shared policy and key(s) used by the  negotiating peers in this protocol to protect their communication.

Whenever a VPN tunnel is established, both the devices agree on Internet Key Exchange (IKE)  and IPSec lifetime values, after which they renegotiate the key for  encryption.

If these devices have different timeout values set, during negotiation, the one with minimum value is set for the proceeding sessions.

The renegotiation for the encryption key begins 30 seconds before the  timeout value. If at this point, traffic is still passing through the tunnel,  the IPSec SA Max time exceeded error message appears to signal that the tunnel will renegotiate the key. The  tunnel does not come down at this point, and only a minor traffic delay is  experienced for a moment. This error message points to the failure of  renegotiation of the encryption keys.

It is always a good practice to configure same corresponding IKE and IPSec  timeout values on both the ends. For more information about this issue, refer to IPSec Network Security and RFC 2408.

Labels:
Comments
kerstin-534
Level 1
Level 1
‎07-07-2016 02:12 AM

When does the message occur

Either

If at this point, traffic is still passing through the tunnel,  the IPSec SA Max time exceeded error message appears to signal that the tunnel will renegotiate the key.

Or 

This error message points to the failure of  renegotiation of the encryption keys.

Is this message a normal or does this mean there is a problem ?

schukinel
Community Member
‎08-22-2016 10:54 PM

The reason of  this message -  vpn-session-timeot is expired. It is NOT isakmp or ipsec sa expiration.

It could be set in the group policy POLICY-NAME attributes.

Hope this will help somebody.

gwarn
Level 1
Level 1
‎06-04-2024 05:37 PM

thank you schukinel - I think your comment solved my problem!

I had my new group policy set to inherit from the dfltpolicy and that policy has a 3hr max timer on it.  I've adjusted to not inherit and set to unlimited.  I will know after 3 hours if this fixed my problem but I am optimistic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents