Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
0
Helpful
3
Replies

ASA5510<-->2811 router L2L VPN: Session reset every 24Hrs

mvsheik123
Level 7
Level 7

‎04-03-2009 08:47 AM

Hi All,

The L2L session having prod traffic between ASA5510<-->2811 router resets every 24hrs. I believe this is due to default isakmp lifetime (86400Sec).The ASA has option to change the lifetime for the isakmp...

************************************

5510-V1(config-isakmp-policy)# lifetime ?

crypto-isakmp-policy mode commands/options:

<120-2147483647> Lifetime in seconds

none Disable rekey and allow an unlimited rekey period

************************

But the router (2811- c2800nm-advipservicesk9-mz.124-8b.bin) do not have the option..

2811-FW1(config-isakmp)#lifetime ?

<60-86400> lifetime in seconds

Is there anyway we can keep the Tunnel up without loosing it..? If I change on the ASA for this particular 'isakmp policy', does it take effect on the other peers (ex: 2811) which are using this policy to connect or the lower interval always takeover..?

Thank you in advance.

MS

Labels:
0 Helpful
3 Replies 3

mike_guy29
Level 1
Level 1

‎04-03-2009 09:27 AM

Hi,

I am unsure if there is the command for the 2811. I have not worked with that specific model. Hopefully someone else can answer that. However with regards to the timers etc I would have thought leaving as is would be ok and a good idea. This means it will refresh the phase 1 tunnel (isakmp sa) every 24hrs. As long as interesting traffic is still being sent then then VPN should just renegotiate.

Hope that helps

Thanks

0 Helpful

mvsheik123
Level 7
Level 7
In response to mike_guy29

‎04-03-2009 09:57 AM

Thank you. Iam wondering any if any latest IOS versions got that option on 2811. Lets see if any other 'guru' replies. Also, what is time for isakmp to reestablish/rekey?

Thank you

MS

0 Helpful

mike_guy29
Level 1
Level 1
In response to mvsheik123

‎04-06-2009 07:15 AM

Hi,

By default ISAKMP is renegotiated every 24hrs by default.

Hope that helps

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents