04-03-2009 08:47 AM
Hi All,
The L2L session having prod traffic between ASA5510<-->2811 router resets every 24hrs. I believe this is due to default isakmp lifetime (86400Sec).The ASA has option to change the lifetime for the isakmp...
************************************
5510-V1(config-isakmp-policy)# lifetime ?
crypto-isakmp-policy mode commands/options:
<120-2147483647> Lifetime in seconds
none Disable rekey and allow an unlimited rekey period
************************
But the router (2811- c2800nm-advipservicesk9-mz.124-8b.bin) do not have the option..
2811-FW1(config-isakmp)#lifetime ?
<60-86400> lifetime in seconds
Is there anyway we can keep the Tunnel up without loosing it..? If I change on the ASA for this particular 'isakmp policy', does it take effect on the other peers (ex: 2811) which are using this policy to connect or the lower interval always takeover..?
Thank you in advance.
MS
04-03-2009 09:27 AM
Hi,
I am unsure if there is the command for the 2811. I have not worked with that specific model. Hopefully someone else can answer that. However with regards to the timers etc I would have thought leaving as is would be ok and a good idea. This means it will refresh the phase 1 tunnel (isakmp sa) every 24hrs. As long as interesting traffic is still being sent then then VPN should just renegotiate.
Hope that helps
Thanks
04-03-2009 09:57 AM
Thank you. Iam wondering any if any latest IOS versions got that option on 2811. Lets see if any other 'guru' replies. Also, what is time for isakmp to reestablish/rekey?
Thank you
MS
04-06-2009 07:15 AM
Hi,
By default ISAKMP is renegotiated every 24hrs by default.
Hope that helps
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: