Solved: Isakmp SA lifetime

jazzlim2004 · ‎02-08-2011

Hi,

Like to know when the process of SA expired and renew, will it cause the VPN to goes down ?

and how long can pre-shared key support?

Thank you in-advance!

Jennifer Halim · ‎02-08-2011

Prior to the SA expiry, a new SA will be negotiated and established, therefore, as soon as the old SA expired, there is already new SA that will take place automatically. So to answer your question, for SA rekey, the VPN tunnel will not go down.

The SA lifetime for phase 2 can be configured to a maximum of 214783647 seconds (by default it is 28800 seconds).

Hope that answers your question.

View solution in original post

Jennifer Halim · ‎02-08-2011

Prior to the SA expiry, a new SA will be negotiated and established, therefore, as soon as the old SA expired, there is already new SA that will take place automatically. So to answer your question, for SA rekey, the VPN tunnel will not go down.

The SA lifetime for phase 2 can be configured to a maximum of 214783647 seconds (by default it is 28800 seconds).

Hope that answers your question.

jazzlim2004 · ‎02-08-2011

Thanks for your explaination. My tunnel always down for 1 min every 8 hours, I don't why and thought its due to SA expired (hmm...have to relook into this)

Any idea what is the max. length for pre-shared key?

Thank you

Jennifer Halim · ‎02-08-2011

Pls make sure that the lifetime is the same on either end of the VPN peer.

The maximum length of pre-shared key is 128 characters:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1920453

Hope that helps.