Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

501 site-to-site vpn tunnel timeout

Does anyone know what the maximum timeout a site-to-site vpn tunnel can have? 24 hours? I have tried to find some documentation as well but with no luck, if you have a link to this info, could you post that as well. Thanks for all your help...

8 REPLIES
Cisco Employee

Re: 501 site-to-site vpn tunnel timeout

Can you please let me know what kind of a device you are asking about?

On a Concentrator and ASA you can do that.

Its normally set to "zero" which means "None" -

For a site to site tunnels, it will be lifetime of Phase 1 and Phase 2 that will come into play for negotiation.

Rate this post, if it helps.

Thanks

Gilbert

New Member

Re: 501 site-to-site vpn tunnel timeout

2 pix 501s

Cisco Employee

Re: 501 site-to-site vpn tunnel timeout

On a PIX 501, you can set the ipsec lifetime but not the Max-connect time for a tunnel.

Here is the command to set the security association lifetime.

crypto ipsec security-association lifetime seconds

Rate this post, if it helps.

Cheers

Gilbert

New Member

Re: 501 site-to-site vpn tunnel timeout

I am aware of how to set the lifetime, I am just trying to find out what the maximum lifetime the tunnel will stay connected if no traffic is on the tunnel.

Thanks for your responses...

Cisco Employee

Re: 501 site-to-site vpn tunnel timeout

Hi,

If there is no interesting traffic passing through and when the time comes for re-negotiation due to lifetime expiry, then the SA will not be negotiation since the interesting traffic will not pass through.

So, to answer your original question, on a PIX 501, there is no "Max-connect time" setting for a site to site tunnel.

Thanks

Gilbert

New Member

Re: 501 site-to-site vpn tunnel timeout

So what about the re-negotiation lifetime? Does it have a maximum limit that you set the lifetime of the tunnel. I have been told that the limit is 24 hours.

Cisco Employee

Re: 501 site-to-site vpn tunnel timeout

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027585

Default isakmp lifetime is 86400 - Phase 1

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1026972

Default ipsec lifetime is 28800 - Phase 2

Phase 1 - 86400 is the Maximum. You can specify 0 seconds for infinite lifetime. (Which might be a security problem - possible Man in the Middle attack scenario)

Phase 2 - I would leave it to the default to set it to something less than or equal to phase 1.

Hope this helps.

Thanks

Gilbert

New Member

Re: 501 site-to-site vpn tunnel timeout

Thanks, Gilbert, that is what I was looking for!

1324
Views
5
Helpful
8
Replies
CreatePlease to create content