The remote device is juniper FW.
The IPSEC tunnel restarts around every 30 minutes.
1. I found the error warning like this, so please check the security ACL of the two sites and make sure they are strict match to each other.
%2013-07-21 04:49:02 EX-FW-01 %%01IKE/4/WARNING(l): phase2: security acl mismatch.
%2013-07-21 04:48:20 EX-FW-01 %%01IKE/4/WARNING(l): phase2: security acl mismatch.
%2013-07-21 04:48:10 EX-FW-01 %%01IKE/4/WARNING(l): phase2: security acl mismatch.
when correct the ACL configuration , the problem still not solved.
As we checked the trapbuffer carefully , we found that the tunnels restart around every 30 minutes not 30 seconds. So could you please inform me the exactly phenomenon about that.
And the time of the tunnels to restart is according to the negotiating of the two devices, and each device has a time-out time ,the final time-out time will choose the minor one of the two devices. E1000E has a default time-out time as 60 minutes, so please check the configuration of remote device if the tunnels restart every 30 minutes.
If you want the connections always up , you can modify like this on our FWs（NOTICE：the duration must be modified on the remote devices too ）:
[sysname] ipsec policy policy1 1 isakmp
[sysname-ipsec-policy-isakmp-policy1-1] sa duration time-based XXXX （the largest is 604800s）
[sysname] ipsec policy policy2 1 isakmp
[sysname-ipsec-policy-isakmp-policy2-1] sa duration traffic-based xxxx （the largest is 4194303Kb）
When modified the configuration of thetime-out time of tunnel of both sites, the problem solved.
2. ACL mismatch.
3. time-out time is 30 minutes.
When troubleshooting the problem like IPSEC, we should check both sites of the configuration and keep the same.