11-01-2010 07:10 PM - edited 02-21-2020 04:56 PM
Hi,
I have a Cisco 2811 verwion 15.1(2)T2 and a PIX501 version 6.3(3). I have configured an IPSEC VPN betwene the devices over the internet and all works well for the duration of the ESP SA lifetime (3600 seconds) and then I cannot get any traffic over the connection.
I have checked CCO for bugs but have yet to find any.
Any assistance would be appreciated.
Thanks.
Regards,
Andrew
11-01-2010 07:44 PM
HI Andrew,
Looks like Phase-2 rekey is not going well.
Does the tunnel still stay up and not pass traffic? OR
Does the Tunnel go down and we need to rebuild it after sometime?
Post the following outputs:
show crypto isakmp sa detail (from both PIX and Router)
show crypto ipsec sa peer
show crypto ipsec sa peer
when this happens again, could you post the debugs from both the router and the pix (debug crypto isakmp and debug crypto ipsec).
To recreate the issue, can you reduce the ESP lifetime to say 10 minutes (600 seconds) and let me know if the tunnel stops working in 10 minutes.
Regards,
Praveen
11-01-2010 08:04 PM
Hi Praveen,
My thoughts exactly regarding Phase 2 rekey.
The tunnel stays up I can see packets being encaps/encrypt'ed at both ends but no decrypt happening.
I will post the show and debug commands a little later as am about to head out.
Also, I have done some checking and it says that by default the SA lifetime on a pix running 6.3 software is 28800 and a router running IOS is 3600, is this causing an issue?
Thanks.
11-01-2010 08:46 PM
Hi Andrew,
Yes, Phase 2 SA lifetime is 28800 by default on PIX.
NOw the rekey won't be smooth because in an hour after the Tunnel comes up Router thinks it should rekey but PIX doesn't think so.
First things first, let's match the Phase 2 SA lifetime values. Make it 28800 on Router too.
Bounce the tunnel.
And let us know how it goes.
Regards,
Praveen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide