09-05-2003 04:25 AM - edited 02-21-2020 12:45 PM
Peering up my PIX (6.2) with another company's Checkpoint 4.1 for a VPN connection. One problem - the tunnel only comes up if the traffic is initiated by the Checkpoint (obviously, I can't see the config) and then everything works fine. If my PIX tries to initiate the connection - nothing is working. Is this common? Do we have our SA lifetimes set to different values?
Would really appreciate if someone can point me in the right direction.
Solved! Go to Solution.
09-08-2003 04:14 PM
Yes, 86400 is the highest you can go, you wouldn't want your tunnels to be up for 14 days straight.
09-06-2003 03:27 PM
You probably have your Phase 1/IKE lifetimes set differently. Phase 2 lifetimes will negotiate to the lower value, but Phase 1 won't. If the intiator's lifetime is higher than the responder's, the responder won't accept it. Make them the same on both sides.
FYI, the PIX Phase 1 lifetime defaults to 24 hrs, 86400 seconds.
09-08-2003 05:25 AM
thank you. My peer has his lifetimes enables globally to almost 14 days. I have tried to set the PIX to the same value, but found out that 86400 is as high as you can go - is this a security feature than cannot be overriden?
09-08-2003 04:14 PM
Yes, 86400 is the highest you can go, you wouldn't want your tunnels to be up for 14 days straight.
10-07-2003 03:22 PM
I've got a similar situation. PIX to PIX VPN, and the tunnel only initiates in one direction. But after it is up, both LANs communicate.
I verified the isakmp lifetime was set to 86400 on both PIXes. They are both running 6.3.2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide