Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
1
Replies

3725 Site-Site VPN Expiry Issue.

DuncanM2008
Level 1
Level 1

‎02-29-2012 05:22 AM

Hello,

I'm having a problem with an IPSec VPN (3725 -> 3725) re-negotiating before the security-association lifetime expires, this is an issue because I actually want the VPN to expire by design.

I'm basically trying to achieve a dial-on-demand feature, or dial-when-traffic present so I've got the following ACL for traffic matching:

Telnet initiates the VPN:

Extended IP access list VPN-Traffic

    10 permit tcp 10.244.1.0 0.0.0.255 10.245.1.0 0.0.0.255 eq telnet

    20 permit tcp 10.245.1.0 0.0.0.255 eq telnet 10.244.1.0 0.0.0.255

    30 permit tcp 10.245.1.0 0.0.0.255 10.244.1.0 0.0.0.255 eq telnet

    40 permit tcp 10.244.1.0 0.0.0.255 eq telnet 10.245.1.0 0.0.0.255 (34 matches)

And the following VPN config:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxxxxxx address 193.50.200.2

!

!

crypto ipsec transform-set VPN-A esp-3des esp-sha-hmac

!

crypto map VPN-A 10 ipsec-isakmp

set peer 193.50.200.2

set security-association lifetime seconds 120      //// - Disconnect VPN after 2 minutes of being idle  - /////

set transform-set VPN-A

match address VPN-Traffic

reverse-route

It seems to work from time to time, but other times it will successfully re-key / re-negotiate before the sa timer expires:

R2#sh crypto ipsec sa | inc sa timing

        sa timing: remaining key lifetime (k/sec): (4452106/39)

        sa timing: remaining key lifetime (k/sec): (4452106/39)

R2#sh crypto ipsec sa | inc sa timing

        sa timing: remaining key lifetime (k/sec): (4452106/38)

        sa timing: remaining key lifetime (k/sec): (4452106/38)

R2#sh crypto ipsec sa | inc sa timing

        sa timing: remaining key lifetime (k/sec): (4452106/32)

        sa timing: remaining key lifetime (k/sec): (4452106/32)

R2#sh crypto ipsec sa | inc sa timing

        sa timing: remaining key lifetime (k/sec): (4452106/31)

        sa timing: remaining key lifetime (k/sec): (4452106/31)

R2#sh crypto ipsec sa | inc sa timing

        sa timing: remaining key lifetime (k/sec): (4452106/29)

        sa timing: remaining key lifetime (k/sec): (4599427/119)

        sa timing: remaining key lifetime (k/sec): (4452106/29)

        sa timing: remaining key lifetime (k/sec): (4599427/119)

My ultimate objective is to ensure that after 120 seconds the VPN drops and stays down until traffic is present again.

Any thoughts?

Thanks,

Duncan.

Labels:
0 Helpful
1 Reply 1

DuncanM2008
Level 1
Level 1

‎03-02-2012 01:37 AM

Hello,

Has anyone been able to sched any light on this, I'm struggling to find any documentation that explains this or if it's a feature where to disable it

Would much appreciate any assistance!

Thanks,

Duncan.

0 Helpful
Customers Also Viewed These Support Documents