Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

problem with lifetime parameter on ipsec

hi

when i do show crypto session detail command i get this following massage:

Interface: FastEthernet0/1

Session status: UP-ACTIVE

Peer: 172.30.102.101/500 fvrf: (none) ivrf: (none)

Phase1_id: 172.30.102.101

Desc: (none)

IKE SA: local 172.30.102.102/500 remote 172.30.102.101/500 Active

Capabilities:D connid:84 lifetime:23:55:29

IPSEC FLOW: permit ip 172.30.102.100/255.255.255.252 172.30.102.100/255.255.25

5.252

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 16 drop 0 life (KB/Sec) 4477653/3329

Outbound: #pkts enc'ed 16 drop 4 life (KB/Sec) 4477653/3329

That mean i have a lifetime with as appear in the example : 23:55:29, and after that time the the ipsec is getting down.

how can i disable this life time,that the ipsec(crypto)work allways.

thanks.

  • Other Security Subjects
1 REPLY
New Member

Re: problem with lifetime parameter on ipsec

Hi

The IPSEC SA lifetime is a fixed configured parameter that cannot be left out. If you have configured IPSEC correct, and you always have interresting IPSEC traffic (traffic that matches your Crypto ACL) the SA will re-establish the tunnel automatically.

A smaller SA lifetime provides more security because this changes your "connection-keys" more often. But again shortes SA life time provides more overhead to manage the connection.

Be aware that you have 2 lifetime settings:

1 for IKE - Key exchange Phase 1

crypto isakmp policy xxx

lifetime

Default = 24 hours (i believe)

2 for the IPSEC tunnel itselves.

crypto map xxxxx

set security-association lifetime

Default = 1 hour (i believe)

Post your config, and we might help you find your problem.

Geetings

Jarle

111
Views
0
Helpful
1
Replies