Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3492
Views
5
Helpful
4
Replies

Rekey time intervals different

collinsjl
Level 1
Level 1

‎02-21-2020 07:54 AM - edited ‎02-21-2020 10:35 AM

I was checking a site to site VPN and noticed the attached.  The ASA is configured as below so I am not sure why I am seeing 28800 Rekey Time Interval for only one of the allowed IPs in the interesting traffic.  Can someone please explain?  Full disclosure - .37 and .6 are Windows Servers and .20 is an IBMi LPAR.  Should not make a difference.

Distant end 172.21.255.0/24

Our end is:
10.123.34.37
10.123.34.20
10.123.34.6

Sa Lifetime is set to 43200 (12hours)

Ike Policy is pre-share-aes-256-sha (DH5 86400) or pre-share-aes-256-md5 (DH2 86400)
IpSec Proposal is ESP-AES-256-SHA (Mode Tunnel, ESP Encrytion AES-256, ESP Autorization SHA)

crypto map outside_map 13 set peer XXX.XX.XXX.XXX
crypto map outside_map 13 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 13 set security-association lifetime seconds 43200
crypto map outside_map 13 set security-association lifetime kilobytes unlimited

crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 31
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX general-attributes
default-group-policy GroupPolicy_XXX.XXX.XXX.XXX
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable

 

 

 

Labels:
Preview file
147 KB
0 Helpful
4 Replies 4

Sheraz.Salim
VIP
VIP

‎02-22-2020 09:49 AM

are you the initiator or responder.  it could be your and remote side access-list does not mirror.

your ikev1 liftetime is 86400. in ikev1 lower life value always win between two peers. i noted your configuration for ipsec is 43200. double check your acl with remote site. 

please do not forget to rate.
0 Helpful

collinsjl
Level 1
Level 1
In response to Sheraz.Salim

‎02-22-2020 11:20 AM

Thanks for the response.  I was hoping it was some hidden rule that I was unaware of.  So I am guessing this will go unanswered because I cannot see the distant end config and right now your theory is the interesting traffic is different.   

I was the Initiator at the time.  I logged out of the VPN and then ran packet capture for all three interesting traffic IPs from my end to bring them up.  I am at 43200 because the distant end is at 43200. 

 

Its not broken it just seems odd that only for the one IP does this happen.  The others are showing up as expected.  Unfortunately its one of those site to site VPNs with 100 people from different divisions that cant tell left from right and I have to say are really not too helpful on the distant end.  So comparing what they have is like pulling your own teeth. It terminates in France and has personnel from India running the config for an American company.  So getting a simple answer as far as how are they configured is always convoluted.  Kind of like working with AT&T and Verizon sometimes.  Takes 3 -4 weeks to get a simple IP change.  

0 Helpful

Sheraz.Salim
VIP
VIP
In response to collinsjl

‎02-23-2020 01:04 AM

Which ASA code you running. I shall test this in lab.

please do not forget to rate.

collinsjl
Level 1
Level 1
In response to Sheraz.Salim

‎02-23-2020 05:42 AM

9.12.(2)  in a 5516 in HA

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents