Home/Support/Support Forum/IPSec tunnel rebuilding every 60 seconds
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

IPSec tunnel rebuilding every 60 seconds

0 votes
Hi All:

We are connecting Digi WR41s to a Cisco ASR1000 router. 15 of the 25 Digis connect fine, the other 10 don't, but I have noticed something on the ones that do connect, please see the event log below:
12:21:38, 01 May 2019,(238300) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:21:38, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:21:38, 01 May 2019,New IPSec SA created by 125.19.8.230
12:21:37, 01 May 2019,(238300) IKE Notification: Responder Lifetime,RX
12:21:37, 01 May 2019,(238300) IKE Notification: Responder Lifetime,RX
12:21:37, 01 May 2019,(238300) New Phase 2 IKE Session 125.19.8.230,Initiator
12:21:37, 01 May 2019,(238294) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:21:37, 01 May 2019,(238298) IKE Keys Negotiated. Peer:
12:21:36, 01 May 2019,(238298) New Phase 1 IKE Session 125.19.8.230,Initiator
12:21:36, 01 May 2019,IKE Request Received From Eroute 0
12:20:37, 01 May 2019,(238296) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:20:37, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:20:36, 01 May 2019,New IPSec SA created by 125.19.8.230
12:20:36, 01 May 2019,(238296) IKE Notification: Responder Lifetime,RX
12:20:36, 01 May 2019,(238296) IKE Notification: Responder Lifetime,RX
12:20:36, 01 May 2019,(238296) New Phase 2 IKE Session 125.19.8.230,Initiator
12:20:36, 01 May 2019,(238290) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:20:36, 01 May 2019,(238294) IKE Keys Negotiated. Peer:
12:20:35, 01 May 2019,(238294) New Phase 1 IKE Session 125.19.8.230,Initiator
12:20:35, 01 May 2019,IKE Request Received From Eroute 0
12:19:37, 01 May 2019,(238292) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:19:37, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:19:35, 01 May 2019,New IPSec SA created by 125.19.8.230
12:19:35, 01 May 2019,(238292) IKE Notification: Responder Lifetime,RX
12:19:35, 01 May 2019,(238292) IKE Notification: Responder Lifetime,RX
12:19:35, 01 May 2019,(238292) New Phase 2 IKE Session 125.19.8.230,Initiator
12:19:35, 01 May 2019,(238286) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:19:35, 01 May 2019,(238290) IKE Keys Negotiated. Peer:
12:19:34, 01 May 2019,(238290) New Phase 1 IKE Session 125.19.8.230,Initiator
12:19:34, 01 May 2019,IKE Request Received From Eroute 0
12:18:34, 01 May 2019,(238288) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:18:34, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:18:34, 01 May 2019,New IPSec SA created by 125.19.8.230
12:18:34, 01 May 2019,(238288) IKE Notification: Responder Lifetime,RX
12:18:34, 01 May 2019,(238288) IKE Notification: Responder Lifetime,RX
12:18:34, 01 May 2019,(238288) New Phase 2 IKE Session 125.19.8.230,Initiator
12:18:34, 01 May 2019,(238282) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:18:34, 01 May 2019,(238286) IKE Keys Negotiated. Peer:
12:18:33, 01 May 2019,(238286) New Phase 1 IKE Session 125.19.8.230,Initiator
12:18:33, 01 May 2019,IKE Request Received From Eroute 0
12:17:33, 01 May 2019,(238284) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:17:33, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:17:33, 01 May 2019,New IPSec SA created by 125.19.8.230
12:17:33, 01 May 2019,(238284) IKE Notification: Responder Lifetime,RX
12:17:33, 01 May 2019,(238284) IKE Notification: Responder Lifetime,RX
12:17:33, 01 May 2019,(238284) New Phase 2 IKE Session 125.19.8.230,Initiator
12:17:33, 01 May 2019,(238278) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:17:33, 01 May 2019,(238282) IKE Keys Negotiated. Peer:
12:17:32, 01 May 2019,(238282) New Phase 1 IKE Session 125.19.8.230,Initiator
12:17:32, 01 May 2019,IKE Request Received From Eroute 0
12:16:32, 01 May 2019,(238280) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:16:32, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:16:32, 01 May 2019,New IPSec SA created by 125.19.8.230
12:16:32, 01 May 2019,(238280) IKE Notification: Responder Lifetime,RX
12:16:32, 01 May 2019,(238280) IKE Notification: Responder Lifetime,RX
12:16:32, 01 May 2019,(238280) New Phase 2 IKE Session 125.19.8.230,Initiator
12:16:32, 01 May 2019,(238274) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:16:32, 01 May 2019,(238278) IKE Keys Negotiated. Peer:
12:16:31, 01 May 2019,(238278) New Phase 1 IKE Session 125.19.8.230,Initiator
12:16:31, 01 May 2019,IKE Request Received From Eroute 0
12:15:32, 01 May 2019,(238276) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:15:32, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:15:31, 01 May 2019,New IPSec SA created by 125.19.8.230
12:15:31, 01 May 2019,(238276) IKE Notification: Responder Lifetime,RX
12:15:31, 01 May 2019,(238276) IKE Notification: Responder Lifetime,RX
12:15:31, 01 May 2019,(238276) New Phase 2 IKE Session 125.19.8.230,Initiator
12:15:31, 01 May 2019,(238270) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:15:31, 01 May 2019,(238274) IKE Keys Negotiated. Peer:
12:15:30, 01 May 2019,(238274) New Phase 1 IKE Session 125.19.8.230,Initiator
12:15:30, 01 May 2019,IKE Request Received From Eroute 0
12:14:30, 01 May 2019,(238272) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:14:30, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:14:30, 01 May 2019,New IPSec SA created by 125.19.8.230
12:14:30, 01 May 2019,(238272) IKE Notification: Responder Lifetime,RX
12:14:30, 01 May 2019,(238272) IKE Notification: Responder Lifetime,RX
12:14:30, 01 May 2019,(238272) New Phase 2 IKE Session 125.19.8.230,Initiator
12:14:30, 01 May 2019,(238266) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:14:30, 01 May 2019,(238270) IKE Keys Negotiated. Peer:
12:14:29, 01 May 2019,(238270) New Phase 1 IKE Session 125.19.8.230,Initiator
12:14:29, 01 May 2019,IKE Request Received From Eroute 0

So, what you are seeing is that every 60 seconds the Digi is generating a "IKE Request Received From Eroute 0" and rebuilding the tunnel. The IPSec tunnel rekey timer is set for 8 hours as well as the IKE timer.

Why would it be doing this?

I have another system connected to a Cisco 1921 IOS router and I get a single tunnel every 8 hours as I should.

How can I find out for sure if it is the Digi initiating this or if its due to the Cisco ASR1000?

Cheers,
John
asked May 1 in Digi TransPort Cellular by jserink New to the Community (44 points)

Please log in or register to answer this question.

1 Answer

0 votes
Ok, found the problem....
From the Cisco config:
crypto dynamic-map dynmap 11
set security-association lifetime seconds 120
set transform-set AES-256
set isakmp-profile AethNET

Am trying to get the customer to change this to 28800 or 14400 seconds from the 120.

WIll advise.

Cheers,
john
answered May 1 by jserink New to the Community (44 points)
...