ike phase 1 lifetime, asa with netscreen

Discussion in 'Cisco' started by Bart, Jun 9, 2009.

  1. Bart

    Bart Guest

    Hi all

    Ipsec, L2L, in configuration I set 8h, on both side


    IKE Peer: x.y.z.w
    Type : L2L Role : initiator
    Rekey : no State : MM_ACTIVE
    Encrypt : 3des Hash : SHA
    Auth : preshared Lifetime: 28800
    Lifetime Remaining: 24897


    but in logs, keys are changing in every 6 hours:


    Jun 6 11:17:46 masterasa Jun 06 2009 11:17:46: %ASA-4-713903: Group =
    x.y.z.w, IP = x.y.z.w Freeing previously allocated memory for
    authorization-dn-attributes

    Jun 6 17:17:46 masterasa Jun 06 2009 17:17:46: %ASA-4-713903: Group =
    x.y.z.w, IP = x.y.z.w, Freeing previously allocated memory for
    authorization-dn-attributes

    Jun 6 23:17:46 masterasa Jun 06 2009 23:17:46: %ASA-4-713903: Group =
    x.y.z.w, IP = x.y.z.w , Freeing previously allocated memory for
    authorization-dn-attributes

    Jun 7 05:17:47 masterasa Jun 07 2009 05:17:47: %ASA-4-713903: Group =
    x.y.z.w, IP = x.y.z.w, Freeing previously allocated memory for
    authorization-dn-attributes

    Someone knows what's reason of that ?

    thanks
    Bart
     
    Bart, Jun 9, 2009
    #1
    1. Advertising

  2. Bart

    bod43 Guest

    On 9 June, 13:36, Bart <> wrote:
    > Hi  all
    >
    > Ipsec, L2L, in configuration I set 8h, on both side
    >
    >     IKE Peer: x.y.z.w
    >      Type    : L2L             Role    : initiator
    >      Rekey   : no              State   : MM_ACTIVE
    >      Encrypt : 3des            Hash    : SHA
    >      Auth    : preshared       Lifetime: 28800
    >      Lifetime Remaining: 24897
    >
    > but in logs, keys are changing in every 6 hours:


    I am not an IPSEC expert however I understand that new keys are
    generated
    before the old ones expire so that valid keys are always available.

    Perhaps this is what you are observing?

    Maybe I am too far towards the pragmatic side however I would not be
    concerned
    by this unless other symptoms were present:)
     
    bod43, Jun 11, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andreas Heinzelmann

    Netscreen vs. Cisco ASA

    Andreas Heinzelmann, Aug 30, 2007, in forum: Cisco
    Replies:
    3
    Views:
    2,531
    Doug McIntyre
    Sep 4, 2007
  2. fahad

    Ike phase 1 rekey & timeout

    fahad, Mar 18, 2008, in forum: Cisco
    Replies:
    16
    Views:
    4,844
    fahad
    Mar 28, 2008
  3. tnzaj6782

    Cisco VPN - IKE Phase 1 Question

    tnzaj6782, Mar 2, 2009, in forum: Cisco
    Replies:
    0
    Views:
    968
    tnzaj6782
    Mar 2, 2009
  4. ozoubi
    Replies:
    0
    Views:
    861
    ozoubi
    Sep 23, 2010
  5. Keerthana
    Replies:
    0
    Views:
    1,562
    Keerthana
    Mar 24, 2012
Loading...

Share This Page