ASA - Disable Phase 2 traffic volume rekey

Unanswered Question
Dec 21st, 2009
User Badges:
  • Bronze, 100 points or more

I'm troubleshooting some issues with a typical L2L VPN using IKE Main Mode w/pre-shared key auth.  I'm using an ASA 5550 w 7.2(3) code.

I'm trying to find a way to disable the phase 2 security association lifetime kilobytes (traffic volume) rekey value.  I know that the ASA will not use this value if it is acting as the responder and the initating device does not include the 'Life Type: Kilobytes' in the Security Association payload, but I'm tyring to find a way to disable this if the ASA is the initiator of the tunnel.

Anyone have any ideas?

As far as I know, this cannot be disabled..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
busterswt Mon, 12/21/2009 - 19:38
User Badges:
  • Bronze, 100 points or more

Hey Patrick,

I don't think you can completely disable it, but you can sure set it really high on a per-tunnel basis:

cisco(config)# crypto map rackmap 200 set security-association lifetime kilobytes ?

configure mode commands/options:

  <10-2147483647>  Security association duration in kilobytes (max 2,048 Gigabytes)

Keep it real bro!


This Discussion