Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: L2L VPN timing out, even after keepalives set...

from [Dan Denton] Network Security [Permanent Link]
Subject: RE: L2L VPN timing out, even after keepalives set...
Date: Tue, 25 Sep 2007 08:23:35 -0500 
The tunnels come back up on their own when someone connects to a network
over the subnet. There are 3 subnets on the end opposite me, and the SA for
the least used of them only comes up when I connect to a system on that
subnet. I'll take a look at the IPSEC and ISAKMP SA timeouts and see if they
differ. Thanks to all who replied...

-----Original Message-----
From: Wozny, Scott (US - New York) [mailto:swozny@deloitte.com] 
Sent: Monday, September 24, 2007 6:01 PM
To: Dan Denton; firewalls@securityfocus.com
Subject: RE: L2L VPN timing out, even after keepalives set...

What you really need to do is dig through the logs on either end for
errors regarding rekeying.  One thing I have noticed is that if your
isakmp SA lifetime is shorter than your IPSEC (crypto map) SA lifetime
then I have seen regular tunnel drops occur.  Also, you didn't say what
the resolution to the drop is.  If it just comes back on it's own after
a short period of time (which I'm sure feels like forever to your users)
then my first guess is that the ISAKMP SA is coming to an end at the
same time crypto map rekeying is due and it's requiring new
"interesting" traffic to renegotiate the tunnel from scratch.  To the
best of my knowledge the related standards don't require one to be
greater than the other, but in every config guide I've seen, the ISAMKP
SA always has a lifetime longer than the IPSEC SA and the one time I
tried it the other way around I got an unstable tunnel, however YMMV.  I
never got to a final root cause when I encountered this, but it may be
worth a look.  Otherwise, it's off to the log viewer with you.

HTH,

Scott A. Wozny
Deloitte ERS

-----Original Message-----
From: Dan Denton [mailto:ddenton@remitpro.com] 
Sent: Thursday, September 20, 2007 5:52 PM
To: firewalls@securityfocus.com
Subject: L2L VPN timing out, even after keepalives set...

Hello list,

I have a cisco 506e and 515e that are endpoints in an L2L VPN. The VPN
works
great, except one issue. The VPN seems to drop whenever the rekey time
limit
is reached, even though I have keepalives set for each SA.

The default rekey time is 8 hours, and sometimes this falls into the
middle
of the day and you can imagine how that might urk some people. I've used
the
"isakmp keepalive 20" command on both firewalls, but it doesn't make a
difference. 

Any help and suggestions are greatly appreciated...

Dan 


This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law.  If
you are not the intended recipient, you should delete this message. 


Any disclosure, copying, or distribution of this message, or the taking of
any action based on it, is strictly prohibited. [v.E.1]
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: L2L VPN timing out, even after keepalives set..., Wozny, Scott (US - New York)
Previous by Thread:  RE: L2L VPN timing out, even after keepalives set..., Wozny, Scott (US - New York)
Indexes:  [Date] [Thread] [Top] [All Lists]