Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

what is the default lKE keepalive time in cisco ASA

Cisco says that by default IKE keepalive time is enabled in Cisco ASA. So what is the default lKE keepalive time in cisco ASA.

3 REPLIES

what is the default lKE keepalive time in cisco ASA

Hi Bro

The default IKE (Phase1) SA lifetime value is 86,400 seconds (24 hours). This value can be changed with the command crypto isakmp policy 10 lifetime 50400. Note: 10 is merely a policy number.

Meanwhile, the default IPSEC (Phase 2) SA lifetime value is 28,800 seconds (8 hours) or 4,275,000 KB. The IPSec security association lifetimes can be set either globally or per crypto map instance. To configure it globally, the command syntax is

crypto ipsec-security association lifetime seconds 240.

For further details on this, you could refer to this Cisco URL http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html

P/S: if you think this comment is helpful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
Community Member

what is the default lKE keepalive time in cisco ASA

Thanks for your reply.

But I wanted to know about the keepalive timeout rather than lifetime.

What I understand is that the lifetime is a period a VPN gateway rekey just before the time expires.

I am interested to know if there is no traffic flow inside the tunnel for quite a long time  but the lifetime still valid for that peer, what will happen? Will the tunnel go down?

Re: what is the default lKE keepalive time in cisco ASA

Hi Bro

Yes, you’re correct. Lifetime is a period when a VPN gateway rekeys just before the time expires. During the typical life of the IKE Security Association (SA), packets are only exchanged over this SA when an IPSec quick mode (QM) negotiation is required at the expiration of the IPSec SAs. The default lifetime of an IKE SA is 24 hours and that of an IPSec SA is one hour. Hence, if there’s no interesting network traffic that flows through the VPN tunnel for quite a while but the lifetime period is still valid, the VPN tunnel would not go down.

However, there is no standards-based mechanism for either types of SA to detect the loss of a VPN peer, except when the QM negotiation fails. Therefore, by implementing a keepalive feature over the IKE SA, Cisco has provided a simple and non-intrusive mechanism for detecting loss of connectivity between two IPSec peers. The keepalive packets are sent every 10 seconds by default. Once three packets are missed, an IPSec termination point concludes that it has lost connectivity with its peer.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
8606
Views
10
Helpful
3
Replies
CreatePlease to create content