ike phase 1 lifetime, asa with netscreen

- B
- Bart
  
  Contact options for registered users
posted
14 years ago

Tue, Jun 9, 2009 12:36 PM

Hi all

Ipsec, L2L, in configuration I set 8h, on both side

IKE Peer: x.y.z.w Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : SHA Auth : preshared Lifetime: 28800 Lifetime Remaining: 24897

but in logs, keys are changing in every 6 hours:

Jun 6 11:17:46 masterasa Jun 06 2009 11:17:46: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w Freeing previously allocated memory for authorization-dn-attributes

Jun 6 17:17:46 masterasa Jun 06 2009 17:17:46: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w, Freeing previously allocated memory for authorization-dn-attributes

Jun 6 23:17:46 masterasa Jun 06 2009 23:17:46: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w , Freeing previously allocated memory for authorization-dn-attributes

Jun 7 05:17:47 masterasa Jun 07 2009 05:17:47: %ASA-4-713903: Group = x.y.z.w, IP = x.y.z.w, Freeing previously allocated memory for authorization-dn-attributes

Someone knows what's reason of that ?

thanks Bart

Loading thread data ...

- B
- bod43
  
  Contact options for registered users
Vote on answer
posted
14 years ago

Thu, Jun 11, 2009 11:25 AM

I am not an IPSEC expert however I understand that new keys are generated before the old ones expire so that valid keys are always available.

Perhaps this is what you are observing?

Maybe I am too far towards the pragmatic side however I would not be concerned by this unless other symptoms were present:-)

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.