After 30 minutes of inactivity on a tunnel with multiple SPI’s, traffic stops passing. Other SPI’s stay active due to traffic flowing. MT does not remove the failed SPI’s and I’m forced to remove them manually. Is there a way to do automatically? Here is my error messgae:
fatal INVALID-SPI notify message, phase1 should be deleted. notification message 11: INVALID-SPI, doi=1 proto_id=3 spi=96957d04(size=4)
I’m running 5.1 with isakmp set at aes-256/sha1/group 2/preshared with static ip’s.
Where was the idle timeout set? I cannot see any option to set it on the MicroTik. If the Cisco end cannot enable an idle timeout (they suggest that it is a global setting and would affect all of the VPNs on their ASA), is there any workaround on the MT side (running routeros 6.27)
Did you verify that the ISAKMP timers and IPSEC timers on the Cisco and MK routers are the same? Did you disable the lifetimes in bytes on both devices??
On MK:
ISAKMP values are changed in the “peer” section
IPSEC values are changed in the “profile” section
On Cisco
ISAKMP values are changed directly inside the isakmp policy
IPSEC values are changed inside the transform-set parameters.