Hi Guys,
I am currently having an issue with my IPsec VPN between a Netvanta 1335 and Netvanta 2400. I have few phones that are sitting behind the Netvanta 1335 and a PBX server sitting behind the Netvanta 2400. The communication between the phones and the PBX is over the IPsec VPN. For some weird reason the phones randomly getting disconnected from the PBX system every time I received below notification.
CRYPTO_IKE: id=vpn time="2016-05-17 16:00:35" fw=XXXXXXX pri=6 proto=esp src=X.X.X.X dst=X.X.X.X vpn=1-1 type=1 msg="SA Soft Life Time Finished - Renegotiation starts - SPI 0x8a96222c, Remote ID XXXXXX agent=IPsec
I would highly appreciate if someone could explain/give some information on what the notification means.
For clarity, topology looks like this:
Phones -> Netvanta1335 -> IPsec->Netvanta2400 ->PBX system.
Thanks!
Naf
Looks like a timeout for the VPN tunnel. Can you please show both peer settings without IP's?
Hi Dayo76,
Thanks for the reply. Please see below IPsec configs for both sites.
Netvanta 1335 (remote-site):
!
crypto ike policy 100
initiate aggressive
respond anymode
local-id fqdn [Local-ID]
peer X.X.X.X
attribute 1
encryption 3des
hash md5
authentication pre-share
lifetime 86400
!
crypto ike remote-id fqdn [hub site local-id] preshared-key [KEY] ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
ip crypto map VPN 10 ipsec-ike
match address ip NO-NAT
set peer X.X.X.X
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
!
###############################################
Netvanta 2400 (Hub-site):
!
crypto ike policy 101
no initiate
respond anymode
local-id fqdn [Local-ID]
peer any
attribute 1
encryption 3des
hash md5
authentication pre-share
lifetime 86400
!
crypto ike remote-id fqdn [remote site local-id] preshared-key [key] ike-policy 101 crypto map VPN 1530 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 1530 ipsec-ike
description *******
match address [ACL]
set transform-set esp-3des-esp-md5-hmac
ike-policy 101
!
########################################
The configured lifetime for the IKE is 24hours. The notification happens randomly everyday. Sometimes it happens within 12 hours of the configured lifetime, sometimes 8 hours.
Is there a way to monitor IPsec via snmp?
I don't have an answer for your problem, but the message you posted shows a normal renegotiation of keys for the IPSec tunnel between the two VPN peers. It is set at 28,800sec (8 hours) by default and a few minutes in advance of this interval new keys are exchanged, before the old keys are dropped. This is transparent to traffic flowing through the tunnel and shouldn't really affect the phone sessions.
--
Regards,
Mick
It may be that there is no interesting traffic to keep the tunnel open. Note that the hub site doesn't initiate. Try creating an ICMP ping probe on the remote site that pings a resource at the hub through the tunnel every ten seconds or so. Ping should have both source and destination on the protected networks. You don't need it to track anything, just to generate a ping every ten seconds. See if this solves the problem.