Home/Support/Support Forum/IPSec tunnel rebuilding every 60 seconds
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

IPSec tunnel rebuilding every 60 seconds

0 votes
Hi All:

We are connecting Digi WR41s to a Cisco ASR1000 router. 15 of the 25 Digis connect fine, the other 10 don't, but I have noticed something on the ones that do connect, please see the event log below:
12:21:38, 01 May 2019,(238300) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:21:38, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:21:38, 01 May 2019,New IPSec SA created by 125.19.8.230
12:21:37, 01 May 2019,(238300) IKE Notification: Responder Lifetime,RX
12:21:37, 01 May 2019,(238300) IKE Notification: Responder Lifetime,RX
12:21:37, 01 May 2019,(238300) New Phase 2 IKE Session 125.19.8.230,Initiator
12:21:37, 01 May 2019,(238294) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:21:37, 01 May 2019,(238298) IKE Keys Negotiated. Peer:
12:21:36, 01 May 2019,(238298) New Phase 1 IKE Session 125.19.8.230,Initiator
12:21:36, 01 May 2019,IKE Request Received From Eroute 0
12:20:37, 01 May 2019,(238296) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:20:37, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:20:36, 01 May 2019,New IPSec SA created by 125.19.8.230
12:20:36, 01 May 2019,(238296) IKE Notification: Responder Lifetime,RX
12:20:36, 01 May 2019,(238296) IKE Notification: Responder Lifetime,RX
12:20:36, 01 May 2019,(238296) New Phase 2 IKE Session 125.19.8.230,Initiator
12:20:36, 01 May 2019,(238290) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:20:36, 01 May 2019,(238294) IKE Keys Negotiated. Peer:
12:20:35, 01 May 2019,(238294) New Phase 1 IKE Session 125.19.8.230,Initiator
12:20:35, 01 May 2019,IKE Request Received From Eroute 0
12:19:37, 01 May 2019,(238292) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:19:37, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:19:35, 01 May 2019,New IPSec SA created by 125.19.8.230
12:19:35, 01 May 2019,(238292) IKE Notification: Responder Lifetime,RX
12:19:35, 01 May 2019,(238292) IKE Notification: Responder Lifetime,RX
12:19:35, 01 May 2019,(238292) New Phase 2 IKE Session 125.19.8.230,Initiator
12:19:35, 01 May 2019,(238286) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:19:35, 01 May 2019,(238290) IKE Keys Negotiated. Peer:
12:19:34, 01 May 2019,(238290) New Phase 1 IKE Session 125.19.8.230,Initiator
12:19:34, 01 May 2019,IKE Request Received From Eroute 0
12:18:34, 01 May 2019,(238288) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:18:34, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:18:34, 01 May 2019,New IPSec SA created by 125.19.8.230
12:18:34, 01 May 2019,(238288) IKE Notification: Responder Lifetime,RX
12:18:34, 01 May 2019,(238288) IKE Notification: Responder Lifetime,RX
12:18:34, 01 May 2019,(238288) New Phase 2 IKE Session 125.19.8.230,Initiator
12:18:34, 01 May 2019,(238282) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:18:34, 01 May 2019,(238286) IKE Keys Negotiated. Peer:
12:18:33, 01 May 2019,(238286) New Phase 1 IKE Session 125.19.8.230,Initiator
12:18:33, 01 May 2019,IKE Request Received From Eroute 0
12:17:33, 01 May 2019,(238284) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:17:33, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:17:33, 01 May 2019,New IPSec SA created by 125.19.8.230
12:17:33, 01 May 2019,(238284) IKE Notification: Responder Lifetime,RX
12:17:33, 01 May 2019,(238284) IKE Notification: Responder Lifetime,RX
12:17:33, 01 May 2019,(238284) New Phase 2 IKE Session 125.19.8.230,Initiator
12:17:33, 01 May 2019,(238278) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:17:33, 01 May 2019,(238282) IKE Keys Negotiated. Peer:
12:17:32, 01 May 2019,(238282) New Phase 1 IKE Session 125.19.8.230,Initiator
12:17:32, 01 May 2019,IKE Request Received From Eroute 0
12:16:32, 01 May 2019,(238280) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:16:32, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:16:32, 01 May 2019,New IPSec SA created by 125.19.8.230
12:16:32, 01 May 2019,(238280) IKE Notification: Responder Lifetime,RX
12:16:32, 01 May 2019,(238280) IKE Notification: Responder Lifetime,RX
12:16:32, 01 May 2019,(238280) New Phase 2 IKE Session 125.19.8.230,Initiator
12:16:32, 01 May 2019,(238274) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:16:32, 01 May 2019,(238278) IKE Keys Negotiated. Peer:
12:16:31, 01 May 2019,(238278) New Phase 1 IKE Session 125.19.8.230,Initiator
12:16:31, 01 May 2019,IKE Request Received From Eroute 0
12:15:32, 01 May 2019,(238276) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:15:32, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:15:31, 01 May 2019,New IPSec SA created by 125.19.8.230
12:15:31, 01 May 2019,(238276) IKE Notification: Responder Lifetime,RX
12:15:31, 01 May 2019,(238276) IKE Notification: Responder Lifetime,RX
12:15:31, 01 May 2019,(238276) New Phase 2 IKE Session 125.19.8.230,Initiator
12:15:31, 01 May 2019,(238270) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:15:31, 01 May 2019,(238274) IKE Keys Negotiated. Peer:
12:15:30, 01 May 2019,(238274) New Phase 1 IKE Session 125.19.8.230,Initiator
12:15:30, 01 May 2019,IKE Request Received From Eroute 0
12:14:30, 01 May 2019,(238272) IKE SA Removed. Peer: 125.19.8.230,Successful Negotiation
12:14:30, 01 May 2019,IPSec SA Deleted ID 125.19.8.230,Replaced
12:14:30, 01 May 2019,New IPSec SA created by 125.19.8.230
12:14:30, 01 May 2019,(238272) IKE Notification: Responder Lifetime,RX
12:14:30, 01 May 2019,(238272) IKE Notification: Responder Lifetime,RX
12:14:30, 01 May 2019,(238272) New Phase 2 IKE Session 125.19.8.230,Initiator
12:14:30, 01 May 2019,(238266) IKE SA Removed. Peer: 125.19.8.230,Duplicate SA
12:14:30, 01 May 2019,(238270) IKE Keys Negotiated. Peer:
12:14:29, 01 May 2019,(238270) New Phase 1 IKE Session 125.19.8.230,Initiator
12:14:29, 01 May 2019,IKE Request Received From Eroute 0

So, what you are seeing is that every 60 seconds the Digi is generating a "IKE Request Received From Eroute 0" and rebuilding the tunnel. The IPSec tunnel rekey timer is set for 8 hours as well as the IKE timer.

Why would it be doing this?

I have another system connected to a Cisco 1921 IOS router and I get a single tunnel every 8 hours as I should.

How can I find out for sure if it is the Digi initiating this or if its due to the Cisco ASR1000?

Cheers,
John
asked May 1, 2019 in Digi TransPort Cellular by jserink New to the Community (44 points)

Please log in or register to answer this question.

1 Answer

0 votes
Ok, found the problem....
From the Cisco config:
crypto dynamic-map dynmap 11
set security-association lifetime seconds 120
set transform-set AES-256
set isakmp-profile AethNET

Am trying to get the customer to change this to 28800 or 14400 seconds from the 120.

WIll advise.

Cheers,
john
answered May 1, 2019 by jserink New to the Community (44 points)
...