Computer Security
 » 
Firewall
 » 
Firewall Discussions
 » 
Firewall (securityfocus.com)

RE: L2L VPN timing out, even after keepalives set...

View: New views
1 Messages — Rating Filter:   Alert me  

RE: L2L VPN timing out, even after keepalives set...

by listbounce :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I've taken a look at my configs, and the ISAKMP timeout is 24 hours, and the
IPSEC timeout is set to 8 hours. What's the feasibility of setting the ISPEC
timeouts to something based a multiple of 5, so the two are less likely to
coincide?

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Wozny, Scott (US - New York)
Sent: Monday, September 24, 2007 6:01 PM
To: Dan Denton; firewalls@...
Subject: RE: L2L VPN timing out, even after keepalives set...

What you really need to do is dig through the logs on either end for
errors regarding rekeying.  One thing I have noticed is that if your
isakmp SA lifetime is shorter than your IPSEC (crypto map) SA lifetime
then I have seen regular tunnel drops occur.  Also, you didn't say what
the resolution to the drop is.  If it just comes back on it's own after
a short period of time (which I'm sure feels like forever to your users)
then my first guess is that the ISAKMP SA is coming to an end at the
same time crypto map rekeying is due and it's requiring new
"interesting" traffic to renegotiate the tunnel from scratch.  To the
best of my knowledge the related standards don't require one to be
greater than the other, but in every config guide I've seen, the ISAMKP
SA always has a lifetime longer than the IPSEC SA and the one time I
tried it the other way around I got an unstable tunnel, however YMMV.  I
never got to a final root cause when I encountered this, but it may be
worth a look.  Otherwise, it's off to the log viewer with you.

HTH,

Scott A. Wozny
Deloitte ERS

-----Original Message-----
From: Dan Denton [mailto:ddenton@...]
Sent: Thursday, September 20, 2007 5:52 PM
To: firewalls@...
Subject: L2L VPN timing out, even after keepalives set...

Hello list,

I have a cisco 506e and 515e that are endpoints in an L2L VPN. The VPN
works
great, except one issue. The VPN seems to drop whenever the rekey time
limit
is reached, even though I have keepalives set for each SA.

The default rekey time is 8 hours, and sometimes this falls into the
middle
of the day and you can imagine how that might urk some people. I've used
the
"isakmp keepalive 20" command on both firewalls, but it doesn't make a
difference.

Any help and suggestions are greatly appreciated...

Dan


This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law.  If
you are not the intended recipient, you should delete this message.


Any disclosure, copying, or distribution of this message, or the taking of
any action based on it, is strictly prohibited. [v.E.1]

Free embeddable forum powered by Nabble Forum Help