cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
450
Views
0
Helpful
1
Replies

How low can the security-association lifetime be?

p.mckay
Level 1
Level 1

I have been working on a lab deployment before going to production. I found that I had an issue with failover until I reduced the security-association lifetime to 120 seconds on the routers connecting to a PIX. I did not change anything on the PIX

I was wondering if this is going to be an issue with 20 or so routers negotiating their SA every couple of minutes?

How low have you run the security-association lifetime setting in real life production networks?

Do you see any issues with this

1 Reply 1

jackko
Level 7
Level 7

just a quick comment.

first, pix failover should work with the default lifetime.

and second, 20 sites perform re-key every 2 mins will create too much overheads, which i believe will have an impact on the vpn.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: