"Lifetime of the SA created in phase x of IKE negotiation expired" large volume traffic
Hello,
I have 3 X ER8411 routers doing IPSEC VPN connection between each other.
Site A communicates with sites B and C
Site B communicates with sites A and C
Site C communicates with sites A and B
On site A we send backups to site B every night, with almost terrabyte sizes. However every morning we see that the connection is permanently dropped with the above error message. We have to restart the router to get the connection back. Site C does not have any issues communicating with sites A and B. Its still up and running.
I was wondering if the SA lifetime expires and disconnects due to traffic based SA lifetime and if there is an option to disable that.
If this is not the case can you give me any other hints what else to check pls?
Thanks
George
Hi @ITserve
Thanks for posting in our business forum.
So, as you stated, C does not disconnect between the A and B. They basically share the exact same config for IPsec. Correct?
In the lab, I tested with IPsec in the local network and it never disconnects. I monitored it for a day and there was no disconnection. Later on, I did not monitor it. It stays solid till now. It's like a month now.
Even it is disconnected, it should reconnect automatically. So, if we need to dig into this, and find out the cause, we might need to Wireshark and monitor the IPsec protocols.
Before that, you should know that SA time can be changed.
Lastly, you can try out this beta and see if it improves or not if you will. Early Access ER8411 V1_1.1.1 Build 20231030 Beta Firmware for Omada Controller V5.13 (Released on Oct 31th, 2023)
Hi @ITserve
Thanks for posting in our business forum.
So, as you stated, C does not disconnect between the A and B. They basically share the exact same config for IPsec. Correct?
In the lab, I tested with IPsec in the local network and it never disconnects. I monitored it for a day and there was no disconnection. Later on, I did not monitor it. It stays solid till now. It's like a month now.
Even it is disconnected, it should reconnect automatically. So, if we need to dig into this, and find out the cause, we might need to Wireshark and monitor the IPsec protocols.
Before that, you should know that SA time can be changed.
Lastly, you can try out this beta and see if it improves or not if you will. Early Access ER8411 V1_1.1.1 Build 20231030 Beta Firmware for Omada Controller V5.13 (Released on Oct 31th, 2023)