Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4577
Views
0
Helpful
2
Replies

IPSEC SA Lifetime

mikedelafield
Level 1
Level 1

‎11-20-2007 03:34 AM - edited ‎02-21-2020 03:23 PM

If one end of an IPSEC vpn has a lifetime set to 28800 secs and the other end 3600 secs, what effect will this have on the connection? And why?

The Vpn establishes and runs okay but periodically drops out. I presume this SA Lifetime mis-match is the cause, but was just curious as to why? As my understanding was that even though the lifetimes are different they agree on the lower value anyway?

Any thoughts?

Labels:
0 Helpful
2 Replies 2

ajagadee
Cisco Employee
Cisco Employee

‎11-20-2007 06:53 AM

Your understanding of the IPSEC SA Lifetime is correct. If you have 3600 and 28800 has the IPSEC Lifetime between two peers, the smaller value will be considered for the SA and in your case 3600. And a new SA is negotiated 30 seconds before the lifetime (3600) expires. This should keep your traffic flowing across the tunnel without any issues.

I hope it helps.

Regards,

Arul

0 Helpful

mohammed.ayubi
Level 1
Level 1

‎11-28-2007 08:05 AM

is the SA life time same for both phase 1 and phase 2

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents