Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPSec peering Phase I Parameter

Hi ,

I am having one S2S Tunnel where in Phase I below parameter.

SA Lifetime:8 Hrs

Treaffic Volume:       45M

           

Can I change this parameter in our end to below

SA Lifetime:24 Hrs

Volume: Not consider

Query: Whether this Parameter is Remote side peering dependent  / I can chage the same in my Side only

What exactly It will cause/ it it help us to keep the tunnel up for 24hrs

Br/Subhojit

4 REPLIES
Super Bronze

IPSec peering Phase I Parameter

Hi,

It seems to me that you are talking about the Phase 2 parameters configured in the Crypto Map

Generally I would say that its best to configure these as matching values per connection if needed.

To my understanding the Cisco documentation says that the VPN devices negotiate and choose the smallest values when comparing between the 2 devices.

That would seem to suggest that even if you changed your values the negotiation would go through but the remote ends values might be negotiated.

So I would suggest either changing these values with the remote end of the VPN or changing the parameters for this connection alone on your side and checking what values are negotiated.

You can for example get good information on an ASA with the command

show vpn-sessiondb detail l2l

You can further narrow it down with by using this command

show vpn-sessiondb detail l2l filter ipaddress

Though it seems that the second command even though supported doesnt seem to work on some softwares. Don't know why.

Here are couple of links related to configuring the Phase 2 SA lifetimes

Configuration Guide:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_ike.html#wp1042781

Command Reference:

http://www.cisco.com/en/US/docs/security/asa/command-reference/c8.html#wp2478892

- Jouni

IPSec peering Phase I Parameter

I agree with Jouni that the configuration should be the same at both ends of the tunnel.

But for the sake of argument, the SA lifetime parameter is not significant in the building of the VPN tunnel so these values can be different at both ends and the tunnel will still come up.  The lifetime value indicates when the device will send a re-key message to the peer.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
Community Member

IPSec peering Phase I Parameter

Hi All,

Hi,

Pls find the curretn capture

2 IKE Peer: <>

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Encrypt : 3des Hash : MD5

Auth : preshared Lifetime: 28800

Lifetime Remaining: 5984

Pls confirm , whether after 5984Sec my vpn tunnel will be down / IPsec tunnel will be down & up

In case Yes, what will be the erro-code in that case

Br/Subhojit

IPSec peering Phase I Parameter

The re-key will not cause any downtime.  You will, however, experience downtime if you change the lifetime since the ASA will need to rebuild the tunnel using the new parameters.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
94
Views
0
Helpful
4
Replies
CreatePlease to create content