03-21-2007 07:29 AM - edited 02-21-2020 02:56 PM
Does anyone know what the maximum timeout a site-to-site vpn tunnel can have? 24 hours? I have tried to find some documentation as well but with no luck, if you have a link to this info, could you post that as well. Thanks for all your help...
03-21-2007 07:58 AM
Can you please let me know what kind of a device you are asking about?
On a Concentrator and ASA you can do that.
Its normally set to "zero" which means "None" -
For a site to site tunnels, it will be lifetime of Phase 1 and Phase 2 that will come into play for negotiation.
Rate this post, if it helps.
Thanks
Gilbert
03-21-2007 08:03 AM
2 pix 501s
03-21-2007 08:10 AM
On a PIX 501, you can set the ipsec lifetime but not the Max-connect time for a tunnel.
Here is the command to set the security association lifetime.
crypto ipsec security-association lifetime seconds
Rate this post, if it helps.
Cheers
Gilbert
03-21-2007 08:13 AM
I am aware of how to set the lifetime, I am just trying to find out what the maximum lifetime the tunnel will stay connected if no traffic is on the tunnel.
Thanks for your responses...
03-21-2007 08:30 AM
Hi,
If there is no interesting traffic passing through and when the time comes for re-negotiation due to lifetime expiry, then the SA will not be negotiation since the interesting traffic will not pass through.
So, to answer your original question, on a PIX 501, there is no "Max-connect time" setting for a site to site tunnel.
Thanks
Gilbert
03-21-2007 08:35 AM
So what about the re-negotiation lifetime? Does it have a maximum limit that you set the lifetime of the tunnel. I have been told that the limit is 24 hours.
03-21-2007 08:52 AM
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027585
Default isakmp lifetime is 86400 - Phase 1
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1026972
Default ipsec lifetime is 28800 - Phase 2
Phase 1 - 86400 is the Maximum. You can specify 0 seconds for infinite lifetime. (Which might be a security problem - possible Man in the Middle attack scenario)
Phase 2 - I would leave it to the default to set it to something less than or equal to phase 1.
Hope this helps.
Thanks
Gilbert
03-21-2007 08:54 AM
Thanks, Gilbert, that is what I was looking for!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide