501 site-to-site vpn tunnel timeout

Unanswered Question
Mar 21st, 2007

Does anyone know what the maximum timeout a site-to-site vpn tunnel can have? 24 hours? I have tried to find some documentation as well but with no luck, if you have a link to this info, could you post that as well. Thanks for all your help...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ggilbert Wed, 03/21/2007 - 07:58

Can you please let me know what kind of a device you are asking about?

On a Concentrator and ASA you can do that.

Its normally set to "zero" which means "None" -

For a site to site tunnels, it will be lifetime of Phase 1 and Phase 2 that will come into play for negotiation.

Rate this post, if it helps.

Thanks

Gilbert

ggilbert Wed, 03/21/2007 - 08:10

On a PIX 501, you can set the ipsec lifetime but not the Max-connect time for a tunnel.

Here is the command to set the security association lifetime.

crypto ipsec security-association lifetime seconds

Rate this post, if it helps.

Cheers

Gilbert

b_ferguson Wed, 03/21/2007 - 08:13

I am aware of how to set the lifetime, I am just trying to find out what the maximum lifetime the tunnel will stay connected if no traffic is on the tunnel.

Thanks for your responses...

ggilbert Wed, 03/21/2007 - 08:30

Hi,

If there is no interesting traffic passing through and when the time comes for re-negotiation due to lifetime expiry, then the SA will not be negotiation since the interesting traffic will not pass through.

So, to answer your original question, on a PIX 501, there is no "Max-connect time" setting for a site to site tunnel.

Thanks

Gilbert

b_ferguson Wed, 03/21/2007 - 08:35

So what about the re-negotiation lifetime? Does it have a maximum limit that you set the lifetime of the tunnel. I have been told that the limit is 24 hours.

ggilbert Wed, 03/21/2007 - 08:52

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027585

Default isakmp lifetime is 86400 - Phase 1

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1026972

Default ipsec lifetime is 28800 - Phase 2

Phase 1 - 86400 is the Maximum. You can specify 0 seconds for infinite lifetime. (Which might be a security problem - possible Man in the Middle attack scenario)

Phase 2 - I would leave it to the default to set it to something less than or equal to phase 1.

Hope this helps.

Thanks

Gilbert

Actions

This Discussion