Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
0
Helpful
6
Replies

vpn ipsec issue

yuya25
Level 1
Level 1

‎11-11-2008 12:25 PM - edited ‎03-06-2019 02:25 AM

I'm trying to configure a L2L IPSEC VPN between a Cisco 7200 router and a Microsoft ISA Server 2006 with service pack 1.

The VPN is up and running but every 2 hr the isakmp goes down for a few minutes (2 or 3).

We changed the lifetimes (matching both sides) and no matter what value we set up into the policy the isakmp always comes up with 2 hr as lifetime value.

Do you have any idea?

Labels:
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎11-11-2008 01:37 PM

Judith

There is a lifetime for ISAKMP and a lifetime for IPSec/ESP. Are you changing the ISAKMP lifetimes or the IPSec/ESP lifetimes?

Perhaps it would be helpful if you would post the related parts of your config with indications of what specifically you have changed so that we can see the details of how it is set up.

HTH

Rick

HTH

Rick
0 Helpful

yuya25
Level 1
Level 1
In response to Richard Burts

‎11-12-2008 06:53 AM

Hi,

Here is my configuration:

crypto isakmp policy 320

encr 3des

hash md5

authentication pre-share

group 2

lifetime 43200

crypto isakmp key address 12.123.45.6 no-xauth

crypto ipsec transform-set 3DES-MD5-TFORM esp-3des esp-md5-hmac

crypto map CRYPTO-MAP 320 ipsec-isakmp

set peer 12.123.45.6

set transform-set 3DES-MD5-TFORM

match address HOUSTON_CMAP

I've been changing the isakmp lifetime and kept the default value for ipsec lifetime.

thanks

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to yuya25

‎11-12-2008 07:41 AM

try a debug crypto isakmp during your production's off peak hours. post it here and lets analyze.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎11-12-2008 08:13 AM

Judith

Thanks for posting the information that I asked about. I do not see any particular issue in the config and it certainly should get ISAKMP past 2 hours. I wonder if the issue may be in the way that the Microsoft ISA Server 2006 is setting ISAKMP lifetime on its end. Perhaps John's suggestion of running debug for ISAKMP would show the negotiation and clarify where the 2 hours is coming from.

HTH

Rick

HTH

Rick
0 Helpful

yuya25
Level 1
Level 1
In response to Richard Burts

‎11-17-2008 09:27 AM

Thanks all for your advices.

I used to have other policies definitions before this one and when I moved it to top of the list the VPN came up with the right configuration.

regards,

judith

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to yuya25

‎11-17-2008 09:39 AM

Judith

Thank you for posting back to this thread that you have solved the problem and what you did that solved the problem. It helps make the forum more useful when people can read about a problem and can read what was done that solved the problem.

I am glad that you found a solution to this problem.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card