I am having this issue that Ipsec VPN re-keying between ASA5525 and MX68 sometimes fails.
This issue happens about once a week.
I have a workaround for the issue which is clearing ikev1 sa and ipsec sa on ASA side but I would like to know the root cause of this issue.
I read this somewhere that lifetime of ike1 tunnel should always be greater than lifetime of ipsec tunnel (although I could not find the reason of this practice.)
My current config is not following this practice. means that phase 1 and phase 2 have the same lifetime at this moment.
Could this config cause this re-key issue?
I see these logs on ASA side:
Removing peer from correlator table failed, no match!
All IPSec SA proposals found unacceptable!
>My current config is not following this practice. means that phase 1 and phase 2
There is nothing wrong with them having the same lifetime. Don't change that.
>All IPSec SA proposals found unacceptable!
This is frequently because of a difference in the source and destination encryption domains between the two ends.
Thanks for your reply.
Ok I will keep the lifetime as it is.
>This is frequently because of a difference in the source and destination encryption domains between the two ends.
I do not quite get what this means. can you explain?
The ASA will have an access-list saying what to encrypt. It must exactly match what the MX has been told to encrypt.
Ok now i see.
Yes, I have the exactly same ACLs that match bidirectionally.
One thing I noticed in ASDM that I have data lifetime set to the default value 4GB although this config is not seen on the running-config. I will set it to unlimited to see if this helps.