×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSec peering Phase I Parameter

Unanswered Question
Feb 7th, 2014
User Badges:

Hi ,


I am having one S2S Tunnel where in Phase I below parameter.


SA Lifetime:8 Hrs

Treaffic Volume:       45M


           

Can I change this parameter in our end to below


SA Lifetime:24 Hrs

Volume: Not consider


Query: Whether this Parameter is Remote side peering dependent  / I can chage the same in my Side only


What exactly It will cause/ it it help us to keep the tunnel up for 24hrs


Br/Subhojit

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Fri, 02/07/2014 - 05:38
User Badges:
  • Super Bronze, 10000 points or more

Hi,


It seems to me that you are talking about the Phase 2 parameters configured in the Crypto Map


Generally I would say that its best to configure these as matching values per connection if needed.


To my understanding the Cisco documentation says that the VPN devices negotiate and choose the smallest values when comparing between the 2 devices.


That would seem to suggest that even if you changed your values the negotiation would go through but the remote ends values might be negotiated.


So I would suggest either changing these values with the remote end of the VPN or changing the parameters for this connection alone on your side and checking what values are negotiated.


You can for example get good information on an ASA with the command


show vpn-sessiondb detail l2l


You can further narrow it down with by using this command


show vpn-sessiondb detail l2l filter ipaddress


Though it seems that the second command even though supported doesnt seem to work on some softwares. Don't know why.


Here are couple of links related to configuring the Phase 2 SA lifetimes


Configuration Guide:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_ike.html#wp1042781


Command Reference:

http://www.cisco.com/en/US/docs/security/asa/command-reference/c8.html#wp2478892


- Jouni

Marius Gunnerud Fri, 02/07/2014 - 05:55
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

I agree with Jouni that the configuration should be the same at both ends of the tunnel.


But for the sake of argument, the SA lifetime parameter is not significant in the building of the VPN tunnel so these values can be different at both ends and the tunnel will still come up.  The lifetime value indicates when the device will send a re-key message to the peer.



--
Please remember to rate and select a correct answer

subhojithalder198 Fri, 02/07/2014 - 06:04
User Badges:

Hi All,


Hi,


Pls find the curretn capture





2 IKE Peer: <>


Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : MD5

Auth : preshared Lifetime: 28800

Lifetime Remaining: 5984

Pls confirm , whether after 5984Sec my vpn tunnel will be down / IPsec tunnel will be down & up

In case Yes, what will be the erro-code in that case


Br/Subhojit

Marius Gunnerud Fri, 02/07/2014 - 06:07
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

The re-key will not cause any downtime.  You will, however, experience downtime if you change the lifetime since the ASA will need to rebuild the tunnel using the new parameters.



--
Please remember to rate and select a correct answer

Actions

This Discussion