Solved

L2L connection drops every couple of days

Posted on 2006-11-10
5
4,060 Views
Last Modified: 2012-02-21
Hi  I have setup a Lans-to-Lan VPN tunnel between acisco vpn 3030 and a cisco 1605 router. The connection works great while is up but I have noticed that every day or every other day the connection drops around noon and doesn't come back up until sometime during the night. I have looked at the logs on the concentrator to see if I can find something there and I can see where the 2 of them are negotiating the connection and everything looks fine except for the following which I am not sure what it means:

-Could not find centry for IPSec SA delete message

-Responder forcing change of IPSec rekeying duration from 28800 to to 3600


Any ideas?
Let me know if I need to post configuraions.

Thanks
0
Comment
Question by:rh102801
5 Comments
 
LVL 1

Accepted Solution

by:
Paracelsius earned 400 total points
ID: 17914231
Hi

> -Could not find centry for IPSec SA delete message
This means, the remote endpoint sent a "Delete SA" message to the local endpoint. The local endpoint cannot find the corresponding SA, which the remote endpoint wants to delete. Thus it issues this message.

> -Responder forcing change of IPSec rekeying duration from 28800 to to 3600
The remote endpoint want to set a lower rekey-timeout for the SA.

Sporadic outage of site-2-site VPN tunnels are most probably incorrect timeouts on both sides. This seems to be the case in the 2nd message. Take into consideration, that the lifetime can be defined either by time (seconds) or volume (kBytes).

Compare the 2 configs if the lifetimes correspond.

Also you might consider using "isakmp keepalive 10" that the connection stays nailed up.

Best regards,
pC.
0
 

Author Comment

by:rh102801
ID: 17914513
OK... Here is the configuration for the Tunnel on the 1605. The keepalive is set to 10 already. sure where the keepalive is set on the . Lifetime in the concentrator is 28800, should I change that to 3600 like the router seems to be doing or the other way around? I imagine that the isakmp keepalive 10 has to be set on both sides but I am not sure where in the concentrator to find that setting.


crypto isakmp policy 2
 hash md5
 authentication pre-share
crypto isakmp key Atl@nta address 68.X.X.X
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map vpnmap 1 ipsec-isakmp  
 set peer 68.X.X.X
 set transform-set trans
 match address 100
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17924033
On the concentrator, here are the places to modify the lifetime timers for IKE proposals and IPSEC SA's:

IKE Proposals (Phase I timer)
---------------------------------
Configuration - Tunneling and Security - IPSEC - IKE Proposals
   then select the proposal you are using in the "Active Proposals" window and click "Modify".  Edit the "Time Lifetime" field and enter the value you want to set it to.

IPSEC SA (Phase II timer)
-----------------------------
Configuration - Policy Management - Traffic Management - SAs
   then select the SA you are using and click "Modify".  In the "IPSEC Parameters" section, edit the "Time Lifetime" field and enter the value you want to set it to.

Make sure both the concentrator and router agree on both sets of timers and give it a shot!
0
 

Expert Comment

by:jimmycher
ID: 37625421
I also am getting the message, and all of my timers are set to default.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now