VPN connectivity lost after rekeying (i think)

[Guest]

Hello Jennifer Thank you for your answer. Ive tried to enter the part for the 5505. That did not help - the tunnel crashed after its KB ran out.Afterwards I tried to enter the part for the 5510, that did not help either and the tunnel crashed. As far as I can see both units are using the same numbers for rekeying; 28800 secs and 4608000 kb.

[Guest]

Here the output of sh run all cry of the ASA 5505 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto ipsec security-association replay window-size 64crypto ipsec fragmentation before-encryption insidecrypto ipsec fragmentation before-encryption outsidecrypto ipsec df-bit copy-df insidecrypto ipsec df-bit copy-df outsidecrypto map VPNMAP 10 match address Hosting_Listcrypto map VPNMAP 10 set connection-type bi-directionalcrypto map VPNMAP 10 set peer 83.136.xx.xxxcrypto map VPNMAP 10 set transform-set ESP-3DES-SHAcrypto map VPNMAP 10 set security-association lifetime seconds 28800crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000crypto map VPNMAP 10 set inheritance rulecrypto map VPNMAP 10 set phase1-mode maincrypto map VPNMAP interface outsidecrypto isakmp identity autocrypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400 ------ Here is the same output for the 5510 (other crypto tunnels omitted): crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmaccrypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmaccrypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmaccrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto ipsec security-association replay window-size 64crypto ipsec fragmentation before-encryption outsidecrypto ipsec fragmentation before-encryption inside...crypto ipsec df-bit copy-df outsidecrypto ipsec df-bit copy-df inside...crypto map outside_map 15 match address K015-L2L-listcrypto map outside_map 15 set connection-type bi-directionalcrypto map outside_map 15 set peer K015-Peercrypto map outside_map 15 set transform-set ESP-3DES-SHAcrypto map outside_map 15 set security-association lifetime seconds 28800crypto map outside_map 15 set security-association lifetime kilobytes 4608000crypto map outside_map 15 set inheritance rulecrypto map outside_map 15 set phase1-mode main...crypto map outside_map interface outsidecrypto isakmp identity addresscrypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400crypto isakmp policy 20authentication pre-shareencryption 3deshash md5group 2lifetime 3600crypto isakmp policy 30authentication pre-shareencryption aes-256hash shagroup 5lifetime 86400crypto isakmp nat-traversal  20

[Guest]

I just checked and there are a number of bugs in regards to rekey, in ASA version 7.2.4, please kindly upgrade both ASA to at least version 7.2.5. Here are the bugs for your reference:CSCtc47782 Malformed IKE traffic causes rekey to fail:http://tools.cisco.com/Support/BugToolK ... CSCtc47782 CSCso87442  ASA displays smaller traffic-volume lifetime than negotiated:http://tools.cisco.com/Support/BugToolK ... CSCsq67954 ASA rekeys at less traffic volume than expected value:http://tools.cisco.com/Support/BugToolK ... 67954Prior to upgrade, you can just remove the following and see if it makes any difference:crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000crypto map outside_map 15 set security-association lifetime kilobytes 4608000Clear tunnels on both end, and monitor to see if you are seeing the same issue.

[Guest]

Hello Jennifer, Thank you very much for your help. That gives me more confidence in the two units configuration knowing that there is a bug that could pose the problem that Im facing.  Ive tried to remove the two command by placing a "no" in front of them, but it cannot seem to be done as the values are the default ones. I will try to update the 5505 and see if that solves the problem. Updating the 5510 is more complicated, so Ill do that one last if possible.