ISAKMP lifetime negotiation

Unanswered Question
Apr 5th, 2009

Hi All,

If L2L peers (ex: ASA & PIX) has different iskmp lifetime (ASA:172800 & PIX: 86400) configured, does the lowest ISKMP peer time will takeover to negotiate the tunnel after the lifetime expired OR the tunnel does not come up at all due to diff. lifetime..?

TIA

MS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JamesLuther Mon, 04/06/2009 - 00:49

Hi,

If you have a time difference in your lifetimes then one end will expire and delete the SA before the other end and potentially the VPN will break.

However there are a couple of features which safeguard against this. One is IKE delete message. When one end deletes an SA it sends a IKE delete message to the other end referencing the SPI. Both ends will then delete the SA and re-negotiate at the same time.

Another feature is DPD, this attempts to detect when the other peer is down. If it detects the other side is down then it will delete it's SA and re-negotiate.

These features depend on what code level your running and what type of firewall you have at both ends. For recent cisco code levels you should find these features turned on by default.

Regards

mvsheik123 Mon, 04/06/2009 - 05:36

Thanks james.

"If you have a time difference in your lifetimes then one end will expire and delete the SA before the other end and potentially the VPN will break"

So when the VPN breaks, will it try to restablish immediately (due to interesting traffic) or will it wait for the other peer also to completes the lifetime? (in which case VPN down for longer time)

TIA

MS

JamesLuther Mon, 04/06/2009 - 23:52

Hi,

If you don't have IKE delete or DPD functionality then the VPN will stay down until the other end expires their key (or an administrator manually deletes the key).

This used to be a common scenarion 5+ years ago, however all the vendors now implement IKE delete and/or DPD now.

Therefore to aviod issues use the latest code levels and it's best practice to match up the lifetimes too.

Regards

Actions

This Discussion