Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

L2L connection drops every couple of days

Posted on 2006-11-10
5
Medium Priority
?
4,350 Views
Last Modified: 2012-02-21
Hi  I have setup a Lans-to-Lan VPN tunnel between acisco vpn 3030 and a cisco 1605 router. The connection works great while is up but I have noticed that every day or every other day the connection drops around noon and doesn't come back up until sometime during the night. I have looked at the logs on the concentrator to see if I can find something there and I can see where the 2 of them are negotiating the connection and everything looks fine except for the following which I am not sure what it means:

-Could not find centry for IPSec SA delete message

-Responder forcing change of IPSec rekeying duration from 28800 to to 3600


Any ideas?
Let me know if I need to post configuraions.

Thanks
0
Comment
Question by:rh102801
5 Comments
 
LVL 1

Accepted Solution

by:
Paracelsius earned 1200 total points
ID: 17914231
Hi

> -Could not find centry for IPSec SA delete message
This means, the remote endpoint sent a "Delete SA" message to the local endpoint. The local endpoint cannot find the corresponding SA, which the remote endpoint wants to delete. Thus it issues this message.

> -Responder forcing change of IPSec rekeying duration from 28800 to to 3600
The remote endpoint want to set a lower rekey-timeout for the SA.

Sporadic outage of site-2-site VPN tunnels are most probably incorrect timeouts on both sides. This seems to be the case in the 2nd message. Take into consideration, that the lifetime can be defined either by time (seconds) or volume (kBytes).

Compare the 2 configs if the lifetimes correspond.

Also you might consider using "isakmp keepalive 10" that the connection stays nailed up.

Best regards,
pC.
0
 

Author Comment

by:rh102801
ID: 17914513
OK... Here is the configuration for the Tunnel on the 1605. The keepalive is set to 10 already. sure where the keepalive is set on the . Lifetime in the concentrator is 28800, should I change that to 3600 like the router seems to be doing or the other way around? I imagine that the isakmp keepalive 10 has to be set on both sides but I am not sure where in the concentrator to find that setting.


crypto isakmp policy 2
 hash md5
 authentication pre-share
crypto isakmp key Atl@nta address 68.X.X.X
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map vpnmap 1 ipsec-isakmp  
 set peer 68.X.X.X
 set transform-set trans
 match address 100
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17924033
On the concentrator, here are the places to modify the lifetime timers for IKE proposals and IPSEC SA's:

IKE Proposals (Phase I timer)
---------------------------------
Configuration - Tunneling and Security - IPSEC - IKE Proposals
   then select the proposal you are using in the "Active Proposals" window and click "Modify".  Edit the "Time Lifetime" field and enter the value you want to set it to.

IPSEC SA (Phase II timer)
-----------------------------
Configuration - Policy Management - Traffic Management - SAs
   then select the SA you are using and click "Modify".  In the "IPSEC Parameters" section, edit the "Time Lifetime" field and enter the value you want to set it to.

Make sure both the concentrator and router agree on both sets of timers and give it a shot!
0
 

Expert Comment

by:jimmycher
ID: 37625421
I also am getting the message, and all of my timers are set to default.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question