cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1976
Views
5
Helpful
8
Replies

501 site-to-site vpn tunnel timeout

b_ferguson
Level 1
Level 1

Does anyone know what the maximum timeout a site-to-site vpn tunnel can have? 24 hours? I have tried to find some documentation as well but with no luck, if you have a link to this info, could you post that as well. Thanks for all your help...

8 Replies 8

ggilbert
Cisco Employee
Cisco Employee

Can you please let me know what kind of a device you are asking about?

On a Concentrator and ASA you can do that.

Its normally set to "zero" which means "None" -

For a site to site tunnels, it will be lifetime of Phase 1 and Phase 2 that will come into play for negotiation.

Rate this post, if it helps.

Thanks

Gilbert

2 pix 501s

On a PIX 501, you can set the ipsec lifetime but not the Max-connect time for a tunnel.

Here is the command to set the security association lifetime.

crypto ipsec security-association lifetime seconds

Rate this post, if it helps.

Cheers

Gilbert

I am aware of how to set the lifetime, I am just trying to find out what the maximum lifetime the tunnel will stay connected if no traffic is on the tunnel.

Thanks for your responses...

Hi,

If there is no interesting traffic passing through and when the time comes for re-negotiation due to lifetime expiry, then the SA will not be negotiation since the interesting traffic will not pass through.

So, to answer your original question, on a PIX 501, there is no "Max-connect time" setting for a site to site tunnel.

Thanks

Gilbert

So what about the re-negotiation lifetime? Does it have a maximum limit that you set the lifetime of the tunnel. I have been told that the limit is 24 hours.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027585

Default isakmp lifetime is 86400 - Phase 1

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1026972

Default ipsec lifetime is 28800 - Phase 2

Phase 1 - 86400 is the Maximum. You can specify 0 seconds for infinite lifetime. (Which might be a security problem - possible Man in the Middle attack scenario)

Phase 2 - I would leave it to the default to set it to something less than or equal to phase 1.

Hope this helps.

Thanks

Gilbert

Thanks, Gilbert, that is what I was looking for!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: