L2L connection drops every couple of days

Hi  I have setup a Lans-to-Lan VPN tunnel between acisco vpn 3030 and a cisco 1605 router. The connection works great while is up but I have noticed that every day or every other day the connection drops around noon and doesn't come back up until sometime during the night. I have looked at the logs on the concentrator to see if I can find something there and I can see where the 2 of them are negotiating the connection and everything looks fine except for the following which I am not sure what it means:

-Could not find centry for IPSec SA delete message

-Responder forcing change of IPSec rekeying duration from 28800 to to 3600


Any ideas?
Let me know if I need to post configuraions.

Thanks
rh102801Asked:
Who is Participating?
 
ParacelsiusCommented:
Hi

> -Could not find centry for IPSec SA delete message
This means, the remote endpoint sent a "Delete SA" message to the local endpoint. The local endpoint cannot find the corresponding SA, which the remote endpoint wants to delete. Thus it issues this message.

> -Responder forcing change of IPSec rekeying duration from 28800 to to 3600
The remote endpoint want to set a lower rekey-timeout for the SA.

Sporadic outage of site-2-site VPN tunnels are most probably incorrect timeouts on both sides. This seems to be the case in the 2nd message. Take into consideration, that the lifetime can be defined either by time (seconds) or volume (kBytes).

Compare the 2 configs if the lifetimes correspond.

Also you might consider using "isakmp keepalive 10" that the connection stays nailed up.

Best regards,
pC.
0
 
rh102801Author Commented:
OK... Here is the configuration for the Tunnel on the 1605. The keepalive is set to 10 already. sure where the keepalive is set on the . Lifetime in the concentrator is 28800, should I change that to 3600 like the router seems to be doing or the other way around? I imagine that the isakmp keepalive 10 has to be set on both sides but I am not sure where in the concentrator to find that setting.


crypto isakmp policy 2
 hash md5
 authentication pre-share
crypto isakmp key Atl@nta address 68.X.X.X
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map vpnmap 1 ipsec-isakmp  
 set peer 68.X.X.X
 set transform-set trans
 match address 100
0
 
batry_boyCommented:
On the concentrator, here are the places to modify the lifetime timers for IKE proposals and IPSEC SA's:

IKE Proposals (Phase I timer)
---------------------------------
Configuration - Tunneling and Security - IPSEC - IKE Proposals
   then select the proposal you are using in the "Active Proposals" window and click "Modify".  Edit the "Time Lifetime" field and enter the value you want to set it to.

IPSEC SA (Phase II timer)
-----------------------------
Configuration - Policy Management - Traffic Management - SAs
   then select the SA you are using and click "Modify".  In the "IPSEC Parameters" section, edit the "Time Lifetime" field and enter the value you want to set it to.

Make sure both the concentrator and router agree on both sets of timers and give it a shot!
0
 
jimmycherCommented:
I also am getting the message, and all of my timers are set to default.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.