Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN timeouts on IOS?

I've setup a VPN between two Cisco routers. The question I have concerns timing out an "unused" VPN. Once a VPN tunnel is setup, at what point will it be deleted if there is no more traffic?

New Member

Re: VPN timeouts on IOS?

You can adjust the lifetime on both the crypto-map and the isakmp policy. In addition, the newer versions of IOS have an option called "crypto isakmp keepalive" with a configurable timer so that the routers router poll to ensure the far-end is still reachable.

New Member

Re: VPN timeouts on IOS?

I have tested using short isakmp and ipsec SA lifetimes. This is what I get after I initiate the VPN and then send no more traffic:

After Initial Lifetime Expiry:

- isakmp SA goes into "MM_NO_STATE" mode and shows "(deleted)"

- ipsec SA gets renegotiated and the expiry gets reset to the lifetime amount

After Second Lifetime Expiry:

- isakmp SA no longer shows

- ipsec SA gets deleted

I did these tests using a 300 second lifetime. If I were to set the lifetime to let's say 2 hours, does this mean that it will take 4 hours for the ipsec SA to timeout? Is this a big deal (will it use up router resources)? Also, should I set the lifetimes for the isakmp SA and ipsec SA to be the same? Since isakmp is used to setup the VPN, could I make the isakmp lifetime short and leave the ipsec SA long? Does all this make any difference to the router performance?

CreatePlease to create content