Forefront VPN Phase 1 timer
My Forefront TMG server is producing some unusual behavior for it's phase 1 negotiation with it's counterpart (a Cisco VPN concentrator). I have the phase 1 value set to 86400 seconds in Forefront. The Cisco device sees it as negotiating to 7200 seconds.
Why is the value that I have entered not applied?
Why is the value that I have entered not applied?
Keith Alabaster
Sorry Tim - we gave up our Cisco 3000 series devices quite some time ago so have no way to pursue this.
ASKER
Keith, I just checked out the IP Security Monitor MMC snapin on my Forefront box. The settings there display as 0KB / 7200 seconds. Aren't these settings supposed to reflect the settings entered into Forefront? I also checked out another VPN tunnel we have set up (another Cisco device, an older PIX). Same issue.
If it were negotiated value from my remote devices it should be being set to the 86400 .
If it were negotiated value from my remote devices it should be being set to the 86400 .
Looking
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes - surprised me too, haven't got an answer for the moment.
ASKER
Keith, could you act and verify if the key lifetime in the IP Security Monitor->Main Mode->Security Associations matches the phase 1 key generation time? The tech I've been working with hasn't addressed those values not matching and I'd like to know what they are in a working environment.
ASKER
After a long and arduous argument we finally have a couple senior techs looking at this in a lab. They are treating it as a product defect.