IPSec Service Was Interrupted Due to SA Lifetime Expiration

Publication Date:  2015-07-03 Views:  366 Downloads:  0
Issue Description
Network Topology:

Peer Device (60.247.x.y)-----------(IPSec)---------------Firewall

Symptom:

The firewall established an IPSec VPN tunnel with the peer (60.247.x.y). A client (10.217.18.97) served by the peer needed to back up a large amount (about 20 GB) of data to a client served by the local firewall every weekend. After a period (several hours) of transmission, the connection was interrupted and then recovered after a period. Other services were normal.
Handling Process
1. The IPSec tunnel information was displayed and the negotiations were normal.

HRP_M<USG-1> display ike sa
288342     60.247.x.y              RD            v1:2  public
288339     60.247.x.y              RD            v1:2  public
288338     60.247.x.y              RD            v1:2  public
288337     60.247.x.y              RD            v1:2  public
288336     60.247.x.y              RD            v1:2  public
288335     60.247.x.y              RD            v1:2  public
288334     60.247.x.y              RD            v1:2  public
288332     60.247.x.y              RD            v1:2  public
288331     60.247.x.y              RD            v1:2  public
288288     60.247.x.y              RD|D          v1:1  public


The collected information indicated that IKEv1 negotiation was used on the live network.

2. Service interruption is usually caused by tunnel disconnection, and automatic service recovery indicates that the tunnel can be renegotiated.

3. Based on the previous fault locating

    1) A ping test was performed to check whether the tunnel disconnection was caused by congestion, and the result ruled out the cause of congestion.
    2) The fault always occurred during large-volume data backup. Therefore, the fault must be related to traffic volume. The IPSec SA lifetime can be by time or traffic volume. If the traffic-based SA lifetime expires, the tunnel is disconnected.

4. The firewall was the responder and the peer is the initiator in IKEv1 negotiation, and only the initiator can initiate negotiation. Moreover, the incoming traffic volume is used as the SA lifetime. During data backup, a large volume of traffic entered the firewall, causing the expiration of the SA lifetime and the subsequent tunnel disconnection. Moreover, the firewall cannot initiate a renegotiation, causing the service interruption.
Root Cause
As the responder in IKEv1 negotiation, the firewall cannot initiate renegotiation after the tunnel is disconnected due to the expiration of a traffic-based SA lifetime. 
Solution
Disable the traffic-based SA lifetime in IPSec policy view as follows:

ipsec policy 1 1 isakmp                                                                                                             
undo sa duration traffic-based enable


END