How low can the security-association lifetime be?

Unanswered Question
Oct 26th, 2005
User Badges:

I have been working on a lab deployment before going to production. I found that I had an issue with failover until I reduced the security-association lifetime to 120 seconds on the routers connecting to a PIX. I did not change anything on the PIX

I was wondering if this is going to be an issue with 20 or so routers negotiating their SA every couple of minutes?

How low have you run the security-association lifetime setting in real life production networks?

Do you see any issues with this

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jackko Wed, 10/26/2005 - 19:16
User Badges:
  • Gold, 750 points or more

just a quick comment.

first, pix failover should work with the default lifetime.

and second, 20 sites perform re-key every 2 mins will create too much overheads, which i believe will have an impact on the vpn.


This Discussion