Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1301
Views
0
Helpful
1
Replies

P1 Rekey Timer != P1 Lifetime

jshailes1
Level 1
Level 1

‎08-30-2011 03:39 AM

I'm having some problems rekeying phase 1 whereby the tunnel drops at 75% of the p1 lifetime. The lifetime is currently at 43200 secs. I've enabled debugging and have a line in the logs stating that the rekey timer is set at 32400:

Group = x.x.x.x, IP = x.x.x.x, Starting P1 rekey timer: 32400 seconds.

I'm guessing this is the root of my problem but can't fathom out why the timer would not be 43200. I've also tried changing both ends to 24 hours rather than 12 hours. This results in the tunnel dropping at 75% again at 18 hours.

If anyone has any suggestions on where to go from here I'd really appreciate it.

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎09-05-2011 01:39 PM

Hi James,

the fact that the rekey timer uses a smaller value than the lifetime is expected (the actual percentage differs depending on the type of tunnel, the peer, and whether this side is initiator or responder).

This is actually done to prevent an outage at rekey time, because if we would wait until the lifetime is expired and only then do a rekey it would be too late and you would have downtime between the time the previous SA expired and the new one gets created.

So if you do see an outage at rekey time, it's caused by something else. If you want us to have a look, please post the debugs here (after removing any sensitive data).

hth

Herbert

0 Helpful
Customers Also Viewed These Support Documents