You can adjust the lifetime on both the crypto-map and the isakmp policy. In addition, the newer versions of IOS have an option called "crypto isakmp keepalive" with a configurable timer so that the routers router poll to ensure the far-end is still reachable.
I have tested using short isakmp and ipsec SA lifetimes. This is what I get after I initiate the VPN and then send no more traffic:
After Initial Lifetime Expiry:
- isakmp SA goes into "MM_NO_STATE" mode and shows "(deleted)"
- ipsec SA gets renegotiated and the expiry gets reset to the lifetime amount
After Second Lifetime Expiry:
- isakmp SA no longer shows
- ipsec SA gets deleted
I did these tests using a 300 second lifetime. If I were to set the lifetime to let's say 2 hours, does this mean that it will take 4 hours for the ipsec SA to timeout? Is this a big deal (will it use up router resources)? Also, should I set the lifetimes for the isakmp SA and ipsec SA to be the same? Since isakmp is used to setup the VPN, could I make the isakmp lifetime short and leave the ipsec SA long? Does all this make any difference to the router performance?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :