Ipsec Vpn question

I have a user at a remote office who users a cisco 800 to connect to a pair of netscreens we have. However between 5-6pm everyday the connection drops. Ive looked at the logs on the firewalls and cant see anything obvious. Its always between this time range. Im wondering if it could be a timeout causing the connection to drop as it always seems to be around 8 hours after he started?

I noticed on the netscreen logs it is showing a successful connection with a lifetime of 3600 seconds on a "phase 2" connection. But i also noticed there was a lifetime of 28800 seconds for the phase 1 negotiations which equates to 8 hours.

I have a few questions as im not up to speed on the security side of things.

1. do you think i could be correct with what ive said above?
2. if i am, where would the lifetimes be set? (i cant seem to see any on the configs i have)
3. if im likely to be wrong, do you have any advice

I wasnt too sure where to place this post as it has both cisco/juniper involved so feel free to move it if you wish!

Find more posts tagged with

Comments

cisco_trooper

Are you saying this is a Site-to-Site IPSec connection, or is he using the VPN Client as a remote access VPN?

nel

cisco_trooper wrote: »

Are you saying this is a Site-to-Site IPSec connection, or is he using the VPN Client as a remote access VPN?

Site to site.

luke_bibby

Provided there is applicable traffic still going over the link, the phase1 tunnel should be renegotiated between the two peers. I would have thought this would have come back up pretty much instantly.

Dunno about the Netscreen, but the lifetime of the phase1 tunnel on the cisco router would be configured inside a crypto policy. Try sh run | begin crypto isakmp and look for the lifetime setting underneath

Hope that helped.. hopefully some VPN specialist can chime in right about now

Ahriakin

Add 'lifetime xxxxxxx' under your Isakmp policy. Cisco's will use the lower lifetime of the 2 peers if they don't match.
I'm not up on Juniper configs but I believe you set the isakmp timeouts when you set your policy (same line)

cisco_trooper

nel wrote: »

Site to site.

As someone else stated, interesting traffic should bring the tunnel back up almost instantaneously. It is not uncommon to see the tunnel as "down" if it isn't used much. This by itself is not cause for alarm. What IS cause for alarm is if the darn thing won't come up when it is supposed to and start passing traffic.

nel

I've looked at the cisco 800 config and their is no lifetime set on the isakmp policy. I'll ammend this to see if their is any difference and also check the netscreen policy. however when i checked the config i couldnt see anything relating to the lifetime...but it is a messy config.

Their is definately traffic going across when it disconnects as it is always his peak work times. He states the CD stays on. From the netscreen logs i cant see anything indicating a disconnection of his link but i can see the log when it re-initiates the negotiations again. Ive never managed to be around when it does disconnect to see if the connection is up/down on his end. The VPN connection doesnt come back up unless he physically switches the cisco device off/on again.