Re: IPSEC L2L Tunnel hanging between PIX & VPN Concentrator

steve.wadge · ‎04-24-2003

Problem: IPSEC tunnel configured as pre-share/des/md5 between PIX Firewall(s) & VPN 3030 Concentrator intermittently hang. When this occurs the PIX is showing the SA as still being active (show crypto ipsec sa) whereas the 3030 doesn't. Only solution is to reboot the PIX so SA gets re-established.

PIX Firewall(s) running 6.2 & 6.3

VPN Concentrator running 3.6.3

afakhan · ‎04-24-2003

Hi,

it could be a rekey issue on IKE/IPSec, try using 3.6.7D on the concentrator, if you are using already, or 4.0 if you will.

If it doesn't help, open a TAC case with the necessary debugs/logs for it to be taken up with the dev.

thx

Afaq

scoe · ‎06-09-2003

did you get a resolution? We have a similar problem btween a PIX 501 and PIX 515.

steve.wadge · ‎06-10-2003

The TAC response was to make lifetimes identical on PIX & 3030 which didn't make any difference.

cody.rowland · ‎06-09-2003

We experienced the same problem you described in your message. Here's a summary of how I was able to fix it.

If the peer (PIX in your case) proposes a shorter lifetime measurement the Concentrator will use that measurement instead. That being said, you have to make sure the PIX is the one calling the shots when it comes to lifetime duration. To change the values on the Concentrator go to:

Configuration | Policy Management | Traffic Management | Security Associations and select the L2L SA. Make sure the Lifetime Measurement is set to Time and the Time Lifetime value is a longer duration than what's configured on the PIX.

My two cents.

Cody Rowland

Infrastructure Engineer