Hi
I am working in a lab environment. It's a site-site IPSec tunnel bt. SRX and ASA using policy based vpn
The tunnel comes up and passes traffic fine.
Phase 1 lifetime has been set to 86400 sec on both
But what I see is the phase 1 is getting re-negotiated about every minute.
Any idea on why it's happening?
ASA:
crypto ikev1 policy 50
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
Lab-FW(config)# sh logg | i PHASE 1
Apr 09 2013 14:07:19: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
Apr 09 2013 14:09:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
Apr 09 2013 14:10:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
Apr 09 2013 14:11:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
Apr 09 2013 14:12:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
Apr 09 2013 14:13:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
Apr 09 2013 14:14:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
SRX:
[edit security ike proposal Phase1-Proposal]
sadm@SRX240# show
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
% tail -f /var/log/vpn-deb-ike | grep -E 'ISAKMP|ipsec'
Apr 9 13:05:48 ike_st_o_done: ISAKMP SA negotiation done
Apr 9 13:06:48 ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
Apr 9 13:06:48 ssh_ike_connect_ipsec: SA = { 8870310f c14009ed - 54e5473f ef9a0e5a}, nego = 0
Apr 9 13:06:48 ike_st_o_done: ISAKMP SA negotiation done
Apr 9 13:07:48 ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
Apr 9 13:07:48 ssh_ike_connect_ipsec: SA = { 6130ee3f ee227572 - f4fcc8c3 3bfa6470}, nego = 0
Apr 9 13:07:48 ike_st_o_done: ISAKMP SA negotiation done
Apr 9 13:08:48 ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
Apr 9 13:08:48 ssh_ike_connect_ipsec: SA = { 522aac73 6dc7ba4c - bb97ae10 67ec06cf}, nego = 0
Apr 9 13:08:48 ike_st_o_done: ISAKMP SA negotiation done
Thanks,
-Rohan