Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ISAKMP vs IPSec SA lifetimes

I have a hub and spoke VPN. I noticed that when I had a ISAKMP SA of 1000 sec and an IPSec SA of 8 hours, the tunnel would stop passing traffic at random intervals. The ISAKMP SA did not exist in the output from "sh cry isa sa". I then would have to execute "clear cry isa" and "clear cry sa" to resume traffic flow. With the help of the TAC, I set the ISAKMP SA to a longer lifetime than the IPSec SA. SInce then, I have not had any tunnel drops.

1. Why must the ISAKMP SA lifetime be longer than the IPSec SA?

2. What causes traffic to stop flowing?

3. Does an ISAKMP SA have to be present to have traffic flowing through an IPSec tunnel?

Thanks for all answers.


Community Member

Re: ISAKMP vs IPSec SA lifetimes

Hi RJ,

I hope you agree that ISAKMP is used as Phase-1 negotiation during the set-up of VPN and is used for key exchange process. What happens is once the 2 parties agrees for ISAKMP parameters, an ISAKMP SA is created and a corresponding entry is made in the SADB (SA database). This SA has a lifetime that you specify during ISAKMP negotiation.

It is this Phase-1 negotiation that sets the stage for security protocols like IPSec to negotiate their parameters. Since the ISAKMP now has created an SA, all IPSec negotiation parameters go through this SA (which is secure) and eventually an IPSec SA is also created (This is Phase-2). Whatever data you send now will be IPSec protected. Even the IPSec SAs have a lifetime. Whenever the lifetime of an IPSec SA is over, it will stop the user traffic, create a new IPSec SA again for the same lifetime that you gave during IPSec configuration and send the traffic again. What happens during this time, is the SA identification parameters are changed and they are correspondingly updated in the SADB.

This creation of a new IPSec SA will happen only if the ISAKMP SA is still intact. This is the reason why you should have the lifetime of an ISAKMP SA more than the lifetime of IPSec SA. The traffic will stop passing at the point when either their is an ISAKMP or IPSec negotiation is going on because of the lifetime getting expired. Hence an IPSec SA can expire many times before one expiry of ISAKMP SA. Hope its pretty clear now !!

To avoid traffic stoppage, give your ISAKMP lifetime and IPSec lifetime as high as possible but remember that ISAKMP's lifetime should be greater than that of IPSec's.

Cheers :-))


CreatePlease to create content