Multiple IPSEC tunnels not terminating

jonesl1 · ‎04-12-2005

Ok, I need some help. I'm sure this has something to do with the lifetime, but I can't seem to figure it out.

I create a LAN-to-LAN connection from my vpn 3000 to a 1721 Cisco router using a VPN Module. I set up both the IKE SA and the IPSEC SA on both ends. The LAN-to-LAN connection is established and I have connectivity. I'm happy!

Well here is the issue. After the Lan to Lan connection has remained active for say 6 months, I get back into the vpn and check the sessions. I now have 10 LAN-to-LAN connections all connected to the same site. Only one of these sessions is passing traffic and has both the IKE tunnel and IPSEC tunnel established. All the others, which aren't passing traffic, are just IPSEC Tunnels (no IKE Tunnel) remaining active and using up my active sessions. It seems to me that these IPSEC tunnels aren't terminating. I need help. Can you please shed some light on this subject for me?

Thanks in advance!!

ehirsel · ‎04-16-2005

How is the acl that defines the intresting traffic on the cisco 1721 or 3000 device (they should be mirror images of each other) defined? Are you using one entry to match both lans (such as permit ip subnetA/maskA subnetB/maskB) or are you using seperate entries for each port/protocol (such as permit tcp host a host b followed by permit udp host c hostd, etc.)?

Also look at the lifetimes of the ipsec sa's on both devices? You should use the same value for each device, but if the 1721 uses a lower value, it could be that the 3000 code never clears out the ipsec sa for a long period of time. I think the default value is somewhere around 4 GB, or 4 MB which means to not timeout for some number of months/years.

What level of code are you running on the 1721 and the 3000 devices?

Let me know what you find.

ehirsel · ‎04-20-2005

Just following up to see if my prior post was of any assistance, or if you need more help.

jonesl1 · ‎04-25-2005

Thank you for your response. I am still having some difficulties with it, but I have modified some ACL's as you suggested and we will see if this resolves the issues. They weren't mirror images of each other because I had some issues with connectivity. I have switched them to be exact mirrors and we will wait and see what we find.

Thank you for your help. Once I find out if it worked or not, I will post it.

As for the lifetimes, they were identical.

Versions were 4.0.2 for VPN and 12.2(8)T5 for the 1721 router.

jonesl1 · ‎06-10-2005

Well, it appears as though they are still having issues. I am still receiving ipsec tunnels that never go away.

The acl's are exact and everything looks to be mirror-like on each side. I am unsure at this point what is causing this.

ehirsel · ‎06-12-2005

Now that the acls are mirror images, the ike and ipsec sa lifetimes need to match. Insure that both configs have the same values - I recommend using 8 hours (28800 seconds) for the ipsec sa and 24 hours (86400 sec) for the ike sa lifetime values.

Try that and let me know how it works.

jonesl1 · ‎09-22-2005

Ok, sry it took so long to get back with you.

Here is the deal: ACL's are identical. I have set a lifetime in my cisco 1700 router under the isakmp policy to 86400 and set the ipsec SA lifetime under the crypto map to 28800.

In the concentrator, under config/policy management/traffic management/SA/modify I have set the lifetime on the IPSEC parameters to 28800 and it is to use TIME, instead of DATA, as the limiting factor. I cannot find where to set the ISAKMP lifetime in the concentrator. Where do I do this at?

Anyhow, to date, I am still having the multiple tunnel issue. It seems as if the additional tunnels are just IPSEC tunnels not terminating. Everything looks identical on both sides.

Please let me know any helpful information as this is causing some issues on our network.

Thanks in advance!