problem with lifetime parameter on ipsec

Unanswered Question
May 3rd, 2006
User Badges:


when i do show crypto session detail command i get this following massage:

Interface: FastEthernet0/1

Session status: UP-ACTIVE

Peer: fvrf: (none) ivrf: (none)


Desc: (none)

IKE SA: local remote Active

Capabilities:D connid:84 lifetime:23:55:29

IPSEC FLOW: permit ip


Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 16 drop 0 life (KB/Sec) 4477653/3329

Outbound: #pkts enc'ed 16 drop 4 life (KB/Sec) 4477653/3329

That mean i have a lifetime with as appear in the example : 23:55:29, and after that time the the ipsec is getting down.

how can i disable this life time,that the ipsec(crypto)work allways.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Wed, 05/03/2006 - 23:35
User Badges:
  • Red, 2250 points or more


You can have either volume based or time based IKE SA.In general time based life tiem is being used .

The max limite being 86,400 Seconds which comes upto 24 Hrs which always works fine and you can tweak the lifetime to different parameters as per your requirment.

you can make use of this cli for tweaking the same -- isakmp policy 30 lifetime 10000 --


amenash123 Wed, 05/03/2006 - 23:40
User Badges:

but affter 24 hrs. the ipsec session between the two router is get down.

and i want that the session will be allways up.


pciaccio Thu, 05/04/2006 - 05:02
User Badges:
  • Silver, 250 points or more

The timer value is an absolute value. If you have interesting traffic flowing on the tunnel the tunnel will not go down even after the timer expires. The tunnel will rekey itself prior to the expiration of the timer and continue with a new hash key and the timer will go to its max value again.

This feature allows for the changing of keys periodically even if the tunnel still has traffic on it. You do not need to worry about the tunnel going down as long as you have traffic on it...


This Discussion