Internet Protocol Security |
These are some methods for resolving basic IPSec-related problems.
If negotiations are failing, it might be due to incompatible IPSec policy settings. Follow these steps to correct the problem:
This error might occur if a key lifetime value is set too low, or the SA has expired but the sender continues to transmit data to the receiver. It is a benign error, and only if a large amount of these messages are being logged should notice be taken. To determine and correct the problem:
If the number of re-keys is very large compared to the amount of time the connections have been active, set the key lifetimes in the policy to be longer. Good values for high-traffic Ethernet connections are greater than 50 MB and greater than five minutes.
This might not entirely eliminate bad SPIs, but should significantly reduce the occurrences.