A couple of days ago a customer was having an issue with an ipsec vpn tunnel between a cisco and a sonicwall device. Every 8 hours or so, the vpn connection would just die and wouldn't comeback up for another 8 hours or so. Also during that time, he would get an error in his event log stating that ESP versions were different. Turns out that by default cisco goes to 3600 seconds for phase 2 negotiation and sonicwall goes to 28800 (about 8 hours). What I didn't know that you could change the time globally and per policy on the cisco device: Here is the command to change it per policy:
set security-association idle-time seconds
Here is the command to change it globally:
crypto ipsec security-association idle-time
More information can be found here:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle.html
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment