Firewalls
L2L VPN timing out, even after keepalives set... Sep 20 2007 09:51PM
Dan Denton (ddenton remitpro com) (2 replies)
RE: L2L VPN timing out, even after keepalives set... Sep 24 2007 11:01PM
Wozny, Scott \(US - New York\) (swozny deloitte com) (2 replies)
What you really need to do is dig through the logs on either end for
errors regarding rekeying. One thing I have noticed is that if your
isakmp SA lifetime is shorter than your IPSEC (crypto map) SA lifetime
then I have seen regular tunnel drops occur. Also, you didn't say what
the resolution to the drop is. If it just comes back on it's own after
a short period of time (which I'm sure feels like forever to your users)
then my first guess is that the ISAKMP SA is coming to an end at the
same time crypto map rekeying is due and it's requiring new
"interesting" traffic to renegotiate the tunnel from scratch. To the
best of my knowledge the related standards don't require one to be
greater than the other, but in every config guide I've seen, the ISAMKP
SA always has a lifetime longer than the IPSEC SA and the one time I
tried it the other way around I got an unstable tunnel, however YMMV. I
never got to a final root cause when I encountered this, but it may be
worth a look. Otherwise, it's off to the log viewer with you.

HTH,

Scott A. Wozny
Deloitte ERS

-----Original Message-----
From: Dan Denton [mailto:ddenton (at) remitpro (dot) com [email concealed]]
Sent: Thursday, September 20, 2007 5:52 PM
To: firewalls (at) securityfocus (dot) com [email concealed]
Subject: L2L VPN timing out, even after keepalives set...

Hello list,

I have a cisco 506e and 515e that are endpoints in an L2L VPN. The VPN
works
great, except one issue. The VPN seems to drop whenever the rekey time
limit
is reached, even though I have keepalives set for each SA.

The default rekey time is 8 hours, and sometimes this falls into the
middle
of the day and you can imagine how that might urk some people. I've used
the
"isakmp keepalive 20" command on both firewalls, but it doesn't make a
difference.

Any help and suggestions are greatly appreciated...

Dan

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message.

Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1]

[ reply ]
RE: L2L VPN timing out, even after keepalives set... Oct 01 2007 03:50PM
Dan Denton (ddenton remitpro com)
RE: L2L VPN timing out, even after keepalives set... Sep 25 2007 01:23PM
Dan Denton (ddenton remitpro com)
Re: L2L VPN timing out, even after keepalives set... Sep 24 2007 06:48PM
Miguel Rodrigues (miguelfv gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus