cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2273
Views
0
Helpful
2
Replies

IPSEC SA renegotiation

j.beckner
Level 1
Level 1

I have IPSEC tunnels between ten remote IOS routers and a central IOS router. When the IPSEC SA expires after 3600 seconds we are consistently getting data loss through the tunnel. This is causing havoc with some HP DTC which don't seem to handle the data loss very well. The Cisco documentation says that a new security association is negotiated 30 second before the liftime is reach "to ensure that a new security association is ready for use when the old one expires." Has anyone else run into this? One fix is to increase the lifetime.

Thank you,

Joe

2 Replies 2

mnaveen
Level 1
Level 1

I suspect that if the ISAKMP and IPSec SA lifetime are both set the same (say 3600 secs), it might take a longer time to renegotiate a new SA. This is becoz both IKE and IPSec parameters need to be renegotiated. Try giving values like ISAKMP=10000 secs and IPSec=5000 secs. See if it again results in the same problem. If it still persists then it could be an IOS bug. By the way, which IOS version are you using ?

The lifetimes are set for default; ISAKMP 86400 sec and IPSEC 3600 sec.

The central site is 2651 ver 12.2(11)T, the remote sites are 1720 with 12.1(1)XC.

I have a case open at TAC They are sending a new AIM VPN module which I plan to install today, I have my doubts about that, but you never know. Also, when I'm working on the network today I was going to increase the IPSEC lifetime to 86400, but maybe I should make it slightly different as you suggested.

Thanks for the tip,