02-07-2014 04:03 AM - edited 03-11-2019 08:41 PM
Hi ,
I am having one S2S Tunnel where in Phase I below parameter.
SA Lifetime:8 Hrs
Treaffic Volume: 45M
Can I change this parameter in our end to below
SA Lifetime:24 Hrs
Volume: Not consider
Query: Whether this Parameter is Remote side peering dependent / I can chage the same in my Side only
What exactly It will cause/ it it help us to keep the tunnel up for 24hrs
Br/Subhojit
02-07-2014 05:38 AM
Hi,
It seems to me that you are talking about the Phase 2 parameters configured in the Crypto Map
Generally I would say that its best to configure these as matching values per connection if needed.
To my understanding the Cisco documentation says that the VPN devices negotiate and choose the smallest values when comparing between the 2 devices.
That would seem to suggest that even if you changed your values the negotiation would go through but the remote ends values might be negotiated.
So I would suggest either changing these values with the remote end of the VPN or changing the parameters for this connection alone on your side and checking what values are negotiated.
You can for example get good information on an ASA with the command
show vpn-sessiondb detail l2l
You can further narrow it down with by using this command
show vpn-sessiondb detail l2l filter ipaddress
Though it seems that the second command even though supported doesnt seem to work on some softwares. Don't know why.
Here are couple of links related to configuring the Phase 2 SA lifetimes
Configuration Guide:
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_ike.html#wp1042781
Command Reference:
http://www.cisco.com/en/US/docs/security/asa/command-reference/c8.html#wp2478892
- Jouni
02-07-2014 05:55 AM
I agree with Jouni that the configuration should be the same at both ends of the tunnel.
But for the sake of argument, the SA lifetime parameter is not significant in the building of the VPN tunnel so these values can be different at both ends and the tunnel will still come up. The lifetime value indicates when the device will send a re-key message to the peer.
--
Please remember to rate and select a correct answer
02-07-2014 06:04 AM
Hi All,
Hi,
Pls find the curretn capture
2 IKE Peer: <Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : preshared Lifetime: 28800
Lifetime Remaining: 5984
Pls confirm , whether after 5984Sec my vpn tunnel will be down / IPsec tunnel will be down & up
In case Yes, what will be the erro-code in that case
Br/Subhojit
02-07-2014 06:07 AM
The re-key will not cause any downtime. You will, however, experience downtime if you change the lifetime since the ASA will need to rebuild the tunnel using the new parameters.
--
Please remember to rate and select a correct answer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: