Hi,
this is the output of the show security ipsec ...
Local Identity: ipv4(any:0,[0..3]=10.4.xx.xx)
Remote Identity: ipv4_subnet(any:0,[0..7]=10.4.xxx.xxx/25)
DF-bit: clear
Direction: inbound, SPI: 126aa7d7, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 17452 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 16823 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: disabled
Direction: outbound, SPI: 4a1b806, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 17452 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 16823 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
Anti-replay service: disabled
The lifetime on the ASA site match with our SRX. Both are set to 24 h at the moment. In these output the traffic is still dropped but the SA is already there.
In the kmd files I cannot see something - there are no entries for this peer at the moment at traffic lost. Is there a way to enlarge the softlifetime to match on 75 % ? Maybe the ASA try to rekey at 75 % of lifetime.