You should disable data lifetimes on peer devices in order to guarantee a stable connection, as VNS3 does not support data lifetimes.
Cisco and certain other vendors provide for IPSec lifetimes to be limited by data quantity in addition to time.
For example, if an IPSec tunnel is configured with a lifetime of 28800s and a data lifetime of 10GB, the connection will rekey after 8 hours OR when 10GB of data has traversed the tunnel, whichever comes first.
Cisco enables data lifetimes by default. When connecting a Cisco device to VNS3, you will need to disable data lifetimes option in order to guarantee a stable connection.
If you do not, there is a chance that the connection SPIs will become out of sync when the data lifetime is reached, causing the tunnel to drop and an outage to occur.
Avoiding this situation is trivial - simply change the data lifetime in the ASDM:
- log into ASDM and select the "Configuration" tab
- Select the "Site-to-Site VPN" side tab and then edit the connection profile associated with VNS3
- From the tree on the left, select "Crypto Map Entry" from the "Advanced" submenu
- Under "Security Association Lifetime" check the "unlimited" box next to "Traffic Volume."
Once this is done, select "OK", "Apply", and then write the configuration to the device.
See our other Cisco device articles:
- How to check if if NAT-T is enabled on a Cisco ASA: https://cohesivenet.zendesk.com/hc/en-us/articles/206950587
- How to ensure your tunnel has “interesting traffic” flowing: https://cohesivenet.zendesk.com/hc/en-us/articles/217783908-how-to-fix-3-common-Network-Device-issues-in-VNS3
- Full Cisco ASA set up guide: https://cohesive.net/dnld/Cohesive-Networks_Cisco-ASDM-9.2-IPsec-Setup.pdf