I've been struggling to understand some debug output from my ASA which has a VPN configured with a remote checkpoint.
In short; the problem is within the P1 & P2 rekey timers. I've defined both timers as 28800 (8 hours). We've matched up these timers since Checkpoint firewalls will automatically delete P2 SA's after a P1 rekey. An ASA however will remain sending packets using the existing P2 SA until it's remaining lifetime runs out.
Having said that; the IPSec tunnel will go down every 6 hours. This is strange, since the timers have been set to 8 hours. After grabbing a debug output from the ASA I've found these two messages within the output of a succesful tunnel coming up:
2015-12-22,"13:26:17","Local5","Debug","ASA-HOSTNAME","%ASA-7-715080: Group = REMOTE_PEER, IP = REMOTE_PEER, Starting P1 rekey timer: 21600 seconds."
2015-12-22,"13:26:17","Local5","Debug","ASA-HOSTNAME","%ASA-7-715080: Group = REMOTE_PEER, IP = REMOTE_PEER, Starting P2 rekey timer: 24480 seconds."
This indicates that the rekey will take place before any of the actual defined timers run out. How is this possible?
Running the 'show crypto ikev1 sa detail' and 'show crypto ipsec sa peer *.*.*.*' validate that the timers are 28800 seconds. After clearing the tunnels, the remaining lifetime also matches up on both P1 and P2 and will show a value higher than the ones set in the debug output.
I'm wondering why these timer values are different in the debug logs opposite the actual configured values and the values produced by the show commands.
I hope somebody can shed some light on this!
... View more