Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5231
Views
0
Helpful
3
Replies

Phase 1 and Phase 2 lifetimes

Ruterford
Level 1
Level 1

‎11-23-2011 08:19 AM

Hi All,

I have a question.

Is that a big problem to have different Phase 2 lifetimes configured on L2L VPN tunnels on both ends?

Like one end has P1 lifetime set to 86400 P2 lifetime set to 86400 and remote end has P1 set to 86400 and P2 set to 28800.

Thanks!

Labels:
0 Helpful
3 Replies 3

ajay chauhan
Level 7
Level 7

‎11-23-2011 08:39 AM

Its also part of Phase 1-2 Proposals mismatch will cause termination of tunnel.Should be same on both End.

Thanks

Ajay

0 Helpful

Ruterford
Level 1
Level 1
In response to ajay chauhan

‎11-23-2011 10:55 AM

I know that they will cause termination of the tunnel, because these timers are intended to do this.

The thing is that one end will terminate after 86400 and the other end will terminate after 28800.

So which end will force the lifetime timeout?

Depends on originator and responder? I.e. originator forces the timers on the remote end?

0 Helpful

mudjain
Level 1
Level 1

‎02-11-2012 02:17 AM

http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/isakmp.html#wp6739

Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be longer and the responding peer's lifetime must be shorter, and the shorter lifetime will be used.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents