"Lifetime of the SA created in phase x of IKE negotiation expired" large volume traffic

"Lifetime of the SA created in phase x of IKE negotiation expired" large volume traffic

"Lifetime of the SA created in phase x of IKE negotiation expired" large volume traffic
"Lifetime of the SA created in phase x of IKE negotiation expired" large volume traffic
2023-12-07 08:09:02 - last edited 2023-12-21 02:40:54
Model: ER8411  
Hardware Version: V1
Firmware Version: 1.1.0 Build 20230705 Rel.64091

Hello,

 

I have 3 X ER8411 routers doing IPSEC VPN connection between each other. 

Site A communicates with sites B and C

Site B communicates with sites A and C

Site C communicates with sites A and B

 

On site A we send backups to site B every night, with almost terrabyte sizes. However every morning we see that the connection is permanently dropped with the above error message. We have to restart the router to get the connection back. Site C does not have any issues communicating with sites A and B. Its still up and running.

 

I was wondering if the SA lifetime expires and disconnects due to traffic based SA lifetime and if there is an option to disable that.

 

If this is not the case can you give me any other hints what else to check pls?

 

Thanks

George

  0      
  0      
#1
Options
1 Accepted Solution
Re:"Lifetime of the SA created in phase x of IKE negotiation expired" large volume traffic-Solution
2023-12-08 01:55:41 - last edited 2023-12-21 02:40:54

Hi @ITserve 

Thanks for posting in our business forum.

So, as you stated, C does not disconnect between the A and B. They basically share the exact same config for IPsec. Correct?

In the lab, I tested with IPsec in the local network and it never disconnects. I monitored it for a day and there was no disconnection. Later on, I did not monitor it. It stays solid till now. It's like a month now.

 

Even it is disconnected, it should reconnect automatically. So, if we need to dig into this, and find out the cause, we might need to Wireshark and monitor the IPsec protocols.

Before that, you should know that SA time can be changed.

 

Lastly, you can try out this beta and see if it improves or not if you will. Early Access ER8411 V1_1.1.1 Build 20231030 Beta Firmware for Omada Controller V5.13 (Released on Oct 31th, 2023)

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  0  
  0  
#2
Options
3 Reply
Re:"Lifetime of the SA created in phase x of IKE negotiation expired" large volume traffic-Solution
2023-12-08 01:55:41 - last edited 2023-12-21 02:40:54

Hi @ITserve 

Thanks for posting in our business forum.

So, as you stated, C does not disconnect between the A and B. They basically share the exact same config for IPsec. Correct?

In the lab, I tested with IPsec in the local network and it never disconnects. I monitored it for a day and there was no disconnection. Later on, I did not monitor it. It stays solid till now. It's like a month now.

 

Even it is disconnected, it should reconnect automatically. So, if we need to dig into this, and find out the cause, we might need to Wireshark and monitor the IPsec protocols.

Before that, you should know that SA time can be changed.

 

Lastly, you can try out this beta and see if it improves or not if you will. Early Access ER8411 V1_1.1.1 Build 20231030 Beta Firmware for Omada Controller V5.13 (Released on Oct 31th, 2023)

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  0  
  0  
#2
Options
Re:"Lifetime of the SA created in phase x of IKE negotiation expired" large volume traffic
2023-12-11 01:23:52

Hi @ITserve 

Not sure if you are still following this up.

If you'd like to, we would be glad to reproduce your issue in the test team's lab if you can provide the backup file. You can remove the sensitive information on your end and then send it to us privately.

Let me know what you think before I make my next move.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#3
Options
Re:"Lifetime of the SA created in phase x of IKE negotiation expired" large volume traffic
2023-12-11 07:35:48

  @ITserve 

 

Hello and thank you for your prompt assistance, i changed the SA lifetime to the maximum value and so far it seems to work ok. However i may need to monitor this for 1-2 weeks to make sure if everything is ok until the SA lifetime expires.

 

I will get back to you when i have complete results.

 

Thanks a lot

George

  1  
  1  
#4
Options

Information

Helpful: 0

Views: 374

Replies: 3

Related Articles