06-29-2011 01:12 AM
hi every body,
i have some dificulties with a vpn. on bothe sites the SA is configured with a lifetime of 8 hours and the max data of
536870912 KB - this is max amount supported on PIX 506E.
The tunnel is up and running but it does not remain built for the configured lifetime. Sometimes is still up for 2 Hours and somtimes for 30 min. When the tunnel is goning down i see following syslog message:
[from ASA]
Jun 28 09:46:25 fw-syslog-messages Outside_IP_ASA %ASA-6-713219: IP = Outside_IP_PIX, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 28 09:46:26 fw-syslog-messages Outside_IP_ASA %ASA-7-710006: ESP request discarded from Outside_IP_PIX to OUTSIDE:Outside_IP_ASA
Jun 28 09:46:30 fw-syslog-messages Outside_IP_ASA %ASA-7-713236: IP = Outside_IP_PIX, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 144
...
[from ASA END]
Then a new SA will be started
[from PIX]
Jun 28 09:46:30 fw-syslog-messages Outside_IP_PIX %PIX-7-702208: ISAKMP Phase 1 exchange started (local Outside_IP_PIX (responder), remote Outside_IP_ASA)
...
[from PIX END]
[from ASA]
Jun 28 09:46:30 fw-syslog-messages Outside_IP_ASA %ASA-7-713236: IP = Outside_IP_PIX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84
Jun 28 09:46:30 fw-syslog-messages Outside_IP_ASA %ASA-7-715047: IP = Outside_IP_PIX, processing SA payload
...
[from ASA END]
and a new Tunnel is up.
This occurs sporadically and remarkable becuase our application is connecting throught the tunnel to a MySQL DB.
Configs are attached!
What can i do to make sure that tunnel for 8 hours uninterrupted works?
Thank for your suggestions
06-30-2011 05:44 AM
Can you try removing the kilobytes lifetime and just have the seconds lifetime configured on both end.
06-30-2011 06:36 AM
it was already without kB in SA. The kB i added after i saw it in running-config from ASA - whitout configuration by me, may be a default SA config on ASA - with an amount of 4608000 kB.
Since our data transported throught vpn is greater than this amount in 2 hours (up to 2 GB) i decided to bind the max amount supported by PIX on the other Site.
But same behavior
06-30-2011 06:45 AM
This is actually strange because the data transported within the vpn tunnel should not get dropped.
The VPN will actually negotiate for a new key prior to the lifetime expiry, and in the meantime it will continue to use the old SA until the newly created SA is established.
Also, you are running a very very old version of PIX code. You might look to upgrade it.
06-30-2011 06:58 AM
what's the available image for 506E?
06-30-2011 07:14 AM
The latest version availabe on PIX506E is 8.0.4(28)
06-30-2011 08:11 AM
ok i'll see when i can upgrade it. I think configuration will change with a version 8.
I hope you're right and the upgrade 'll solve my issue
I'll give you an update in the next days
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide