what is the default lKE keepalive time in cisco ASA
The default IKE (Phase1) SA lifetime value is 86,400 seconds (24 hours). This value can be changed with the command crypto isakmp policy 10 lifetime 50400. Note: 10 is merely a policy number.
Meanwhile, the default IPSEC (Phase 2) SA lifetime value is 28,800 seconds (8 hours) or 4,275,000 KB. The IPSec security association lifetimes can be set either globally or per crypto map instance. To configure it globally, the command syntax is
crypto ipsec-security association lifetime seconds 240.
Re: what is the default lKE keepalive time in cisco ASA
Yes, you’re correct. Lifetime is a period when a VPN gateway rekeys just before the time expires. During the typical life of the IKE Security Association (SA), packets are only exchanged over this SA when an IPSec quick mode (QM) negotiation is required at the expiration of the IPSec SAs. The default lifetime of an IKE SA is 24 hours and that of an IPSec SA is one hour. Hence, if there’s no interesting network traffic that flows through the VPN tunnel for quite a while but the lifetime period is still valid, the VPN tunnel would not go down.
However, there is no standards-based mechanism for either types of SA to detect the loss of a VPN peer, except when the QM negotiation fails. Therefore, by implementing a keepalive feature over the IKE SA, Cisco has provided a simple and non-intrusive mechanism for detecting loss of connectivity between two IPSec peers. The keepalive packets are sent every 10 seconds by default. Once three packets are missed, an IPSec termination point concludes that it has lost connectivity with its peer.
P/S: If you think this comment is useful, please do rate them nicely :-)
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...