cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

1403
Views
0
Helpful
2
Replies
tato386
Frequent Contributor

IPSec between SA520 and PIX-501

I have a gateway to gateway tunnel from a SA520 to a PIX501 running 6.3.5 image. The tunnel drops every few days, sometimes it is up for a bit longer and sometimes a bit shorter but never up for more than 1 week straight. Doing some checking thru the SA520 logs it seems that the IPSec SAs expire and are renegotiated but during that time the tunnel drops. If we wait a few minutes it comes back up. Sometimes we reboot the SA520 so that it comes up quicker.

This is very annoying and I think that renegotiating IPSec SAs (if in fact this is what is happening) should not cause the tunnel to go down.

How can I troubleshoot this further?

Thanks,

Diego

2 REPLIES 2
nmanglik
Cisco Employee

Diego,

Can you please provide the software version of SA500 you have on the device? The latest firmware, 2.1.51 is available and can be downloaded from www.cisco.com.

Thanks,

Nitin.

tato386
Frequent Contributor

Hello Nitin:

I solved the problem and it seems to be a bug on the SA520 side.  I started with the V1.1 firmware version and upgraded to V2.1.51 and the bug was still there.  Here is what I found:

I have only one tunnel with one ISAKMP policy.  Because the PIX on the other end was already using DH2 for the ISAKMP I configured the SA520 with DH2 for ISAKMP.  The tunnel came up so I thought all settings were OK but the tunnel would drop periodically like I mentioned above.

A couple of days ago I was troubleshooting and I was lucky enough to have a debug session going on the PIX side.  What I saw was that when the tunnel expired the SA520  tried to renegotiate which is normal.  HOWEVER, what is not normal is that it tried to establish the ISAKMP Phase 1 for several minutes using DH1 which the PIX did not accept.  Finally after a few minutes the SA520 tried with DH2 and the tunnel came up.

So the bug is that the SA520 tries ISAKMP with DH2 even though the policy states DH2.  In my case I simply configured both sides for DH1 and it seems to be OK since them.

Thanks for all your help.

Rgds,

Diego