Scope:
- NG Firewall firmware versions 4.2.x,5.0.x, 5.2.x
- netfence firmware versions 4.2.x
The debug level 90 log of the IKE (ike.log) displays following messages:
Info S1_VPN_ike[1076]: ipsec_delete_spi_list: [IPSEC-TestTunnel-172.16.0.0-172.16.1.0] spi=cf2a1bd5
Info S1_VPN_ike[1076]: ipsec_delete_spi_list: DELETE made us delete SA 0x730a0b6 (3 references) for proto 3
Info S1_VPN_ike[1076]: timer_remove_event: removing event sa_hard_expire(0x730a0b6)
Info S1_VPN_ike[1076]: timer_remove_event: removing event sa_soft_expire(0x730a0b6)
Info S1_VPN_ike[1076]: sa_remove: SA 0x730a0b6 removed from SA list
Info S1_VPN_ike[1076]: sa_release: SA 0x730a0b6 had 1 references
Info S1_VPN_ike[1076]: sa_release: freeing SA 0x730a0b6
Info S1_VPN_ike[1076]: delete_spi: [IPSEC-TestTunnel-172.16.0.0-172.16.1.0] outbound sa=0x730a0b6 proto=0x842e5c0, NOT REPLACED
Info S1_VPN_ike[1076]: delete_spi: IPSEC-TestTunnel-172.16.0.0-172.16.1.0(0x730a0b6), spi: 0xcf2a1bd5 succeeded.
Info S1_VPN_ike[1076]: delete_spi: [IPSEC-TestTunnel-172.16.0.0-172.16.1.0] inbound sa=0x730a0b6 proto=0x842e5c0, NOT REPLACED
Info S1_VPN_ike[1076]: delete_spi: IPSEC-TestTunnel-172.16.0.0-172.16.1.0(0x730a0b6), spi: 0x68a2be91 succeeded.
This behavior is called "SA ldle Time" on the Windows ISA server and can be set via registry. As default this time is set to 300 seconds (5 minutes) and in this option will force a delete of the SA on the partner gateway.
Set the "SA ldle Time" on the Windows ISA server to the same value as the lifetime in Phase 2 via registry key (in this example 3600 seconds).
Value name: SAIdleTime
Data Type: REG_DWORD
Value data: 3600
We recommend to use the default settings for Phase 1+2 on the Windows ISA server and the netfence.
Phase I
Main mode
3DES
SHA-1
MODP Group 2 (1024 bits) for DH
SA lifetime of 28800 seconds
Preshared Secret
Phase II
3DES
SHA-1
PFS & MODP Group 2 (1024 bits) for DH
SA lifetime of 3600 seconds
Disabled kilobyte liftime
Link to This Page: