Solved

L2L connection drops every couple of days

Posted on 2006-11-10
5
4,162 Views
Last Modified: 2012-02-21
Hi  I have setup a Lans-to-Lan VPN tunnel between acisco vpn 3030 and a cisco 1605 router. The connection works great while is up but I have noticed that every day or every other day the connection drops around noon and doesn't come back up until sometime during the night. I have looked at the logs on the concentrator to see if I can find something there and I can see where the 2 of them are negotiating the connection and everything looks fine except for the following which I am not sure what it means:

-Could not find centry for IPSec SA delete message

-Responder forcing change of IPSec rekeying duration from 28800 to to 3600


Any ideas?
Let me know if I need to post configuraions.

Thanks
0
Comment
Question by:rh102801
5 Comments
 
LVL 1

Accepted Solution

by:
Paracelsius earned 400 total points
ID: 17914231
Hi

> -Could not find centry for IPSec SA delete message
This means, the remote endpoint sent a "Delete SA" message to the local endpoint. The local endpoint cannot find the corresponding SA, which the remote endpoint wants to delete. Thus it issues this message.

> -Responder forcing change of IPSec rekeying duration from 28800 to to 3600
The remote endpoint want to set a lower rekey-timeout for the SA.

Sporadic outage of site-2-site VPN tunnels are most probably incorrect timeouts on both sides. This seems to be the case in the 2nd message. Take into consideration, that the lifetime can be defined either by time (seconds) or volume (kBytes).

Compare the 2 configs if the lifetimes correspond.

Also you might consider using "isakmp keepalive 10" that the connection stays nailed up.

Best regards,
pC.
0
 

Author Comment

by:rh102801
ID: 17914513
OK... Here is the configuration for the Tunnel on the 1605. The keepalive is set to 10 already. sure where the keepalive is set on the . Lifetime in the concentrator is 28800, should I change that to 3600 like the router seems to be doing or the other way around? I imagine that the isakmp keepalive 10 has to be set on both sides but I am not sure where in the concentrator to find that setting.


crypto isakmp policy 2
 hash md5
 authentication pre-share
crypto isakmp key Atl@nta address 68.X.X.X
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map vpnmap 1 ipsec-isakmp  
 set peer 68.X.X.X
 set transform-set trans
 match address 100
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17924033
On the concentrator, here are the places to modify the lifetime timers for IKE proposals and IPSEC SA's:

IKE Proposals (Phase I timer)
---------------------------------
Configuration - Tunneling and Security - IPSEC - IKE Proposals
   then select the proposal you are using in the "Active Proposals" window and click "Modify".  Edit the "Time Lifetime" field and enter the value you want to set it to.

IPSEC SA (Phase II timer)
-----------------------------
Configuration - Policy Management - Traffic Management - SAs
   then select the SA you are using and click "Modify".  In the "IPSEC Parameters" section, edit the "Time Lifetime" field and enter the value you want to set it to.

Make sure both the concentrator and router agree on both sets of timers and give it a shot!
0
 

Expert Comment

by:jimmycher
ID: 37625421
I also am getting the message, and all of my timers are set to default.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unauthorized Network Devices Appearing on Home Network 20 140
php extract($_REQUEST) 5 93
WAN Link comparsion 3 28
Exchange 2010 upgrade to 2013 certificate issue 2 27
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question