Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
276
Views
0
Helpful
4
Replies

IPSec peering Phase I Parameter

subhojithalder198
Level 1
Level 1

‎02-07-2014 04:03 AM - edited ‎03-11-2019 08:41 PM

Hi ,

I am having one S2S Tunnel where in Phase I below parameter.

SA Lifetime:8 Hrs

Treaffic Volume:       45M

           

Can I change this parameter in our end to below

SA Lifetime:24 Hrs

Volume: Not consider

Query: Whether this Parameter is Remote side peering dependent  / I can chage the same in my Side only

What exactly It will cause/ it it help us to keep the tunnel up for 24hrs

Br/Subhojit

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎02-07-2014 05:38 AM

Hi,

It seems to me that you are talking about the Phase 2 parameters configured in the Crypto Map

Generally I would say that its best to configure these as matching values per connection if needed.

To my understanding the Cisco documentation says that the VPN devices negotiate and choose the smallest values when comparing between the 2 devices.

That would seem to suggest that even if you changed your values the negotiation would go through but the remote ends values might be negotiated.

So I would suggest either changing these values with the remote end of the VPN or changing the parameters for this connection alone on your side and checking what values are negotiated.

You can for example get good information on an ASA with the command

show vpn-sessiondb detail l2l

You can further narrow it down with by using this command

show vpn-sessiondb detail l2l filter ipaddress

Though it seems that the second command even though supported doesnt seem to work on some softwares. Don't know why.

Here are couple of links related to configuring the Phase 2 SA lifetimes

Configuration Guide:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_ike.html#wp1042781

Command Reference:

http://www.cisco.com/en/US/docs/security/asa/command-reference/c8.html#wp2478892

- Jouni

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Jouni Forss

‎02-07-2014 05:55 AM

I agree with Jouni that the configuration should be the same at both ends of the tunnel.

But for the sake of argument, the SA lifetime parameter is not significant in the building of the VPN tunnel so these values can be different at both ends and the tunnel will still come up.  The lifetime value indicates when the device will send a re-key message to the peer.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

subhojithalder198
Level 1
Level 1
In response to Marius Gunnerud

‎02-07-2014 06:04 AM

Hi All,

Hi,

Pls find the curretn capture

2 IKE Peer: <>

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : MD5

Auth : preshared Lifetime: 28800

Lifetime Remaining: 5984

Pls confirm , whether after 5984Sec my vpn tunnel will be down / IPsec tunnel will be down & up

In case Yes, what will be the erro-code in that case

Br/Subhojit
0 Helpful

Marius Gunnerud
VIP
VIP
In response to subhojithalder198

‎02-07-2014 06:07 AM

The re-key will not cause any downtime.  You will, however, experience downtime if you change the lifetime since the ASA will need to rebuild the tunnel using the new parameters.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card