Re: VTI Tunnel going protocol down

sachinthaplus · ‎05-28-2018

Hi All

We have VTI tunnel setup with another site over the internet. We are seeing a behavior where tunnel interface going protocol down during the night but there is one active IPSec security association created. During the night no traffic is getting passed over this SA but still that is not getting deleted but during the night tunnel interface (VTI) goes protocol down. So problem is when in the morning traffic initiated from remote site traffic is getting passed to main site via that active SA but that not kiks the VTI tunnel UP so revers traffic get lost.

But When ever there is new IPsec SA created that make the tunnel UP

Does any one know what is this behavior. from our end we are having a CISCO3925 and remote end having netscreen FW (which I'm not having the access). below are the IPsec lifetimes and other parameteres

IPSEC profile Virtual-Tunnel
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group2
Transform sets={
Encrypt-Set: { esp-256-aes esp-sha-hmac } ,
}

Thanks in advance

Sachintha

Rob Ingram · ‎05-28-2018

Hi,

Do you have DPD (Dead Peer Detection) configured? This will clear down SAs if no response from peer after a certain period. If you do not have this configured, check this link out. You probably want to configure this and make sure the Netscreen FW configures this also.

Your SA lifetime is also pretty low (3600 seconds), the default is 86400 seconds (1 day), which is usually sufficient for most organizations.

HTH