Link to home
Create AccountLog in
Avatar of timbrigham
timbrighamFlag for United States of America

asked on

Forefront VPN Phase 1 timer

My Forefront TMG server is producing some unusual behavior for it's phase 1 negotiation with it's counterpart (a Cisco VPN concentrator). I have the phase 1 value set to 86400 seconds in Forefront. The Cisco device sees it as negotiating to 7200 seconds.

Why is the value that I have entered not applied?
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Sorry Tim - we gave up our Cisco 3000 series devices quite some time ago so have no way to pursue this.
Avatar of timbrigham


Keith, I just checked out the IP Security Monitor MMC snapin on my Forefront box. The settings there display as 0KB / 7200 seconds. Aren't these settings supposed to reflect the settings entered into Forefront? I also checked out another VPN tunnel we have set up (another Cisco device, an older PIX). Same issue.
If it were negotiated value from my remote devices it should be being set to the 86400 .
Avatar of timbrigham
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Yes - surprised me too, haven't got an answer for the moment.
Keith, could you act and verify if the key lifetime in the IP Security Monitor->Main Mode->Security Associations matches the phase 1 key generation time? The tech I've been working with hasn't addressed those values not matching and I'd like to know what they are in a working environment.
After a long and arduous argument we finally have a couple senior techs looking at this in a lab. They are treating it as a product defect.