cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
629
Views
0
Helpful
4
Replies

IPSEC L2L Tunnel hanging between PIX & VPN Concentrator

steve.wadge
Level 1
Level 1

Problem: IPSEC tunnel configured as pre-share/des/md5 between PIX Firewall(s) & VPN 3030 Concentrator intermittently hang. When this occurs the PIX is showing the SA as still being active (show crypto ipsec sa) whereas the 3030 doesn't. Only solution is to reboot the PIX so SA gets re-established.

PIX Firewall(s) running 6.2 & 6.3

VPN Concentrator running 3.6.3

4 Replies 4

afakhan
Level 4
Level 4

Hi,

it could be a rekey issue on IKE/IPSec, try using 3.6.7D on the concentrator, if you are using already, or 4.0 if you will.

If it doesn't help, open a TAC case with the necessary debugs/logs for it to be taken up with the dev.

thx

Afaq

scoe
Level 1
Level 1

did you get a resolution? We have a similar problem btween a PIX 501 and PIX 515.

The TAC response was to make lifetimes identical on PIX & 3030 which didn't make any difference.

cody.rowland
Level 1
Level 1

We experienced the same problem you described in your message. Here's a summary of how I was able to fix it.

If the peer (PIX in your case) proposes a shorter lifetime measurement the Concentrator will use that measurement instead. That being said, you have to make sure the PIX is the one calling the shots when it comes to lifetime duration. To change the values on the Concentrator go to:

Configuration | Policy Management | Traffic Management | Security Associations and select the L2L SA. Make sure the Lifetime Measurement is set to Time and the Time Lifetime value is a longer duration than what's configured on the PIX.

My two cents.

Cody Rowland

Infrastructure Engineer