rh102801
asked on
L2L connection drops every couple of days
Hi I have setup a Lans-to-Lan VPN tunnel between acisco vpn 3030 and a cisco 1605 router. The connection works great while is up but I have noticed that every day or every other day the connection drops around noon and doesn't come back up until sometime during the night. I have looked at the logs on the concentrator to see if I can find something there and I can see where the 2 of them are negotiating the connection and everything looks fine except for the following which I am not sure what it means:
-Could not find centry for IPSec SA delete message
-Responder forcing change of IPSec rekeying duration from 28800 to to 3600
Any ideas?
Let me know if I need to post configuraions.
Thanks
-Could not find centry for IPSec SA delete message
-Responder forcing change of IPSec rekeying duration from 28800 to to 3600
Any ideas?
Let me know if I need to post configuraions.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On the concentrator, here are the places to modify the lifetime timers for IKE proposals and IPSEC SA's:
IKE Proposals (Phase I timer)
--------------------------
Configuration - Tunneling and Security - IPSEC - IKE Proposals
then select the proposal you are using in the "Active Proposals" window and click "Modify". Edit the "Time Lifetime" field and enter the value you want to set it to.
IPSEC SA (Phase II timer)
--------------------------
Configuration - Policy Management - Traffic Management - SAs
then select the SA you are using and click "Modify". In the "IPSEC Parameters" section, edit the "Time Lifetime" field and enter the value you want to set it to.
Make sure both the concentrator and router agree on both sets of timers and give it a shot!
IKE Proposals (Phase I timer)
--------------------------
Configuration - Tunneling and Security - IPSEC - IKE Proposals
then select the proposal you are using in the "Active Proposals" window and click "Modify". Edit the "Time Lifetime" field and enter the value you want to set it to.
IPSEC SA (Phase II timer)
--------------------------
Configuration - Policy Management - Traffic Management - SAs
then select the SA you are using and click "Modify". In the "IPSEC Parameters" section, edit the "Time Lifetime" field and enter the value you want to set it to.
Make sure both the concentrator and router agree on both sets of timers and give it a shot!
I also am getting the message, and all of my timers are set to default.
ASKER
crypto isakmp policy 2
hash md5
authentication pre-share
crypto isakmp key Atl@nta address 68.X.X.X
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map vpnmap 1 ipsec-isakmp
set peer 68.X.X.X
set transform-set trans
match address 100