>>>>>> idle-time Automatically delete IPSec SAs after a given idle
>> set security-association idle-time 60
>> Не отрабатывает. Сеанс продолжает висеть.
>> Глобальный - crypto ipsec security-association idle-time 60
>> то же.
> выставить маленький и посмотреть дебаг...Выставил на 60 сек. Включил debug crypto ipsec
Подключается клиент, есть такие строки:
Jul 11 10:34:53.847: IPSEC(create_sa): starting idle timer, 60 seconds
Jul 11 10:34:53.847: IPSEC(create_sa): sa created,
(sa) sa_dest= 84.47.*.*, sa_proto= 50,
sa_spi= 0xF6F90895(4143515797),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 77
sa_lifetime(k/sec)= (4418854/3600)
Jul 11 10:34:53.847: IPSEC(create_sa): sa created,
(sa) sa_dest= 188.35.*.*, sa_proto= 50,
sa_spi= 0xB8F9956(193960278),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 78
sa_lifetime(k/sec)= (4418854/3600)
Jul 11 10:34:53.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Jul 11 10:34:53.851: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jul 11 10:34:53.851: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jul 11 10:34:53.851: IPSEC(key_engine_enable_outbound): enable SA with spi 193960278/50
Jul 11 10:34:53.851: IPSEC(update_current_outbound_sa): get enable SA peer 188.35.*.* current outbound sa to SPI B8F9956
Jul 11 10:34:53.851: IPSEC(update_current_outbound_sa): updated peer 188.35.*.* current outbound sa to SPI B8F9956
cisco#
Jul 11 10:35:05.915: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jul 11 10:35:05.915: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
Jul 11 10:35:05.915: IPSEC(key_engine_delete_sas): delete SA with spi 0x21F9F058 proto 50 for 188.35.*.*
Jul 11 10:35:05.915: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 84.47.*.*, sa_proto= 50,
sa_spi= 0xCA2AEB86(3391810438),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 59
sa_lifetime(k/sec)= (4562472/3600),
(identity) local= 84.47.*.*:0, remote= 188.35.*.*:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.3.84/255.255.255.255/0/0 (type=1)
Jul 11 10:35:05.915: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 188.35.*.*, sa_proto= 50,
sa_spi= 0x21F9F058(570028120),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 60
sa_lifetime(k/sec)= (4562472/3600),
(identity) local= 84.47.*.*:0, remote= 188.35.*.*:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.3.84/255.255.255.255/0/0 (type=1)
Jul 11 10:35:05.915: IPSEC(rte_mgr): Delete Route found ID 5
Jul 11 10:35:05.915: IPSEC(rte_mgr): VPN Route Refcount 1 Virtual-Access2
Jul 11 10:35:05.915: IPSEC(key_engine): got a queue event with 1 KMI message(s)
cisco#
Jul 11 10:35:05.915: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
Т.е. таймер вроде как активируется. Проходит 60 сек и ни чего. Клиент продолжает висеть, логов более по нему нет.