topic Site to site VPN issue in General Topics https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-issue/m-p/28368#M20735 <HTML><HEAD></HEAD><BODY><P>Folks.</P><P></P><P>I have an issue with some site-to-site configurations that is bugging the cr*p out of me, and I thought I'd post it here.</P><P></P><P>I run some site-to-site VPN's (Palo Alto to Cisco 887 routers) which come up fine, but which seem to defy *all* configuration with respect to IpSec SA lifetime.</P><P></P><P>As far as I can tell, I've configured a 12 hour (43200 second) lifetime, yet when the IPSec is negotiated, I get this in the logs.</P><P></P><P>IPSec key installed. Installed SA: www.xxx.yyy.zzz[500]-aaa.bbb.ccc.ddd[500] SPI:0x8AA8C96C/0x49847307 lifetime 3600 Sec lifesize 4608000 KB.</P><P></P><P>Note the "3600 Sec" lifetime - which is only 1 hour.</P><P></P><P>Now, this is not a real big deal - apart from adding extra lines into my logs, it's not a real hassle - but it's just peeving me off that I can't solve it.</P><P></P><P>Is there anywhere else I should look for lifetime settings besides the "IPSec Crypto" setting int he network configuration?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 22 Jan 2013 00:24:15 GMT darren_g 2013-01-22T00:24:15Z Site to site VPN issue https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-issue/m-p/28368#M20735 <HTML><HEAD></HEAD><BODY><P>Folks.</P><P></P><P>I have an issue with some site-to-site configurations that is bugging the cr*p out of me, and I thought I'd post it here.</P><P></P><P>I run some site-to-site VPN's (Palo Alto to Cisco 887 routers) which come up fine, but which seem to defy *all* configuration with respect to IpSec SA lifetime.</P><P></P><P>As far as I can tell, I've configured a 12 hour (43200 second) lifetime, yet when the IPSec is negotiated, I get this in the logs.</P><P></P><P>IPSec key installed. Installed SA: www.xxx.yyy.zzz[500]-aaa.bbb.ccc.ddd[500] SPI:0x8AA8C96C/0x49847307 lifetime 3600 Sec lifesize 4608000 KB.</P><P></P><P>Note the "3600 Sec" lifetime - which is only 1 hour.</P><P></P><P>Now, this is not a real big deal - apart from adding extra lines into my logs, it's not a real hassle - but it's just peeving me off that I can't solve it.</P><P></P><P>Is there anywhere else I should look for lifetime settings besides the "IPSec Crypto" setting int he network configuration?</P><P></P><P>Thanks</P></BODY></HTML> Tue, 22 Jan 2013 00:24:15 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-issue/m-p/28368#M20735 darren_g 2013-01-22T00:24:15Z Re: Site to site VPN issue https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-issue/m-p/28369#M20736 <HTML><HEAD></HEAD><BODY><P>Never mind, found the issue - had to tweak the Cisco end a bit to get it to accept the additional time frame parameters.</P><P></P><P>All good now. No more excessive log entries!</P></BODY></HTML> Tue, 22 Jan 2013 01:01:49 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-issue/m-p/28369#M20736 darren_g 2013-01-22T01:01:49Z