Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1217
Views
0
Helpful
3
Replies

ISAKMP lifetime negotiation

mvsheik123
Level 7
Level 7

‎04-05-2009 08:29 AM

Hi All,

If L2L peers (ex: ASA & PIX) has different iskmp lifetime (ASA:172800 & PIX: 86400) configured, does the lowest ISKMP peer time will takeover to negotiate the tunnel after the lifetime expired OR the tunnel does not come up at all due to diff. lifetime..?

TIA

MS

Labels:
0 Helpful
3 Replies 3

JamesLuther
Level 3
Level 3

‎04-06-2009 12:49 AM

Hi,

If you have a time difference in your lifetimes then one end will expire and delete the SA before the other end and potentially the VPN will break.

However there are a couple of features which safeguard against this. One is IKE delete message. When one end deletes an SA it sends a IKE delete message to the other end referencing the SPI. Both ends will then delete the SA and re-negotiate at the same time.

Another feature is DPD, this attempts to detect when the other peer is down. If it detects the other side is down then it will delete it's SA and re-negotiate.

These features depend on what code level your running and what type of firewall you have at both ends. For recent cisco code levels you should find these features turned on by default.

Regards

0 Helpful

mvsheik123
Level 7
Level 7
In response to JamesLuther

‎04-06-2009 05:36 AM

Thanks james.

"If you have a time difference in your lifetimes then one end will expire and delete the SA before the other end and potentially the VPN will break"

So when the VPN breaks, will it try to restablish immediately (due to interesting traffic) or will it wait for the other peer also to completes the lifetime? (in which case VPN down for longer time)

TIA

MS

0 Helpful

JamesLuther
Level 3
Level 3
In response to mvsheik123

‎04-06-2009 11:52 PM

Hi,

If you don't have IKE delete or DPD functionality then the VPN will stay down until the other end expires their key (or an administrator manually deletes the key).

This used to be a common scenarion 5+ years ago, however all the vendors now implement IKE delete and/or DPD now.

Therefore to aviod issues use the latest code levels and it's best practice to match up the lifetimes too.

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents