https://community.cisco.com/t5/network-security/ipsec-peering-phase-i-parameter/m-p/2467561#M270094 <P>Hi ,</P><P></P><P>I am having one S2S Tunnel where in Phase I below parameter.</P><P></P><P>SA Lifetime:8 Hrs</P><P>Treaffic Volume:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 45M</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Can I change this parameter in our end to below</P><P></P><P>SA Lifetime:24 Hrs</P><P>Volume: Not consider</P><P></P><P>Query: Whether this Parameter is Remote side peering dependent&nbsp; / I can chage the same in my Side only</P><P></P><P>What exactly It will cause/ it it help us to keep the tunnel up for 24hrs</P><P></P><P>Br/Subhojit</P> Tue, 12 Mar 2019 03:41:57 GMT subhojithalder198 2019-03-12T03:41:57Z https://community.cisco.com/t5/network-security/ipsec-peering-phase-i-parameter/m-p/2467561#M270094 <P>Hi ,</P><P></P><P>I am having one S2S Tunnel where in Phase I below parameter.</P><P></P><P>SA Lifetime:8 Hrs</P><P>Treaffic Volume:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 45M</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Can I change this parameter in our end to below</P><P></P><P>SA Lifetime:24 Hrs</P><P>Volume: Not consider</P><P></P><P>Query: Whether this Parameter is Remote side peering dependent&nbsp; / I can chage the same in my Side only</P><P></P><P>What exactly It will cause/ it it help us to keep the tunnel up for 24hrs</P><P></P><P>Br/Subhojit</P> Tue, 12 Mar 2019 03:41:57 GMT https://community.cisco.com/t5/network-security/ipsec-peering-phase-i-parameter/m-p/2467561#M270094 subhojithalder198 2019-03-12T03:41:57Z https://community.cisco.com/t5/network-security/ipsec-peering-phase-i-parameter/m-p/2467562#M270099 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It seems to me that you are talking about the Phase 2 parameters configured in the Crypto Map</P><P></P><P>Generally I would say that its best to configure these as matching values per connection if needed.</P><P></P><P>To my understanding the Cisco documentation says that the VPN devices negotiate and choose the smallest values when comparing between the 2 devices.</P><P></P><P>That would seem to suggest that even if you changed your values the negotiation would go through but the remote ends values might be negotiated.</P><P></P><P>So I would suggest either changing these values with the remote end of the VPN or changing the parameters for this connection alone on your side and checking what values are negotiated.</P><P></P><P>You can for example get good information on an ASA with the command</P><P></P><P><STRONG>show vpn-sessiondb detail l2l</STRONG></P><P></P><P>You can further narrow it down with by using this command</P><P></P><P><STRONG>show vpn-sessiondb detail l2l filter ipaddress <VPN peer="" ip="" address=""></VPN></STRONG></P><P></P><P>Though it seems that the second command even though supported doesnt seem to work on some softwares. Don't know why.</P><P></P><P>Here are couple of links related to configuring the Phase 2 SA lifetimes</P><P></P><P>Configuration Guide:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_ike.html#wp1042781">http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_ike.html#wp1042781</A></P><P></P><P>Command Reference:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/command-reference/c8.html#wp2478892">http://www.cisco.com/en/US/docs/security/asa/command-reference/c8.html#wp2478892</A></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 07 Feb 2014 13:38:59 GMT https://community.cisco.com/t5/network-security/ipsec-peering-phase-i-parameter/m-p/2467562#M270099 Jouni Forss 2014-02-07T13:38:59Z https://community.cisco.com/t5/network-security/ipsec-peering-phase-i-parameter/m-p/2467563#M270101 <HTML><HEAD></HEAD><BODY><P>I agree with Jouni that the configuration should be the same at both ends of the tunnel.</P><P></P><P>But for the sake of argument, the SA lifetime parameter is not significant in the building of the VPN tunnel so these values can be different at both ends and the tunnel will still come up.&nbsp; The lifetime value indicates when the device will send a re-key message to the peer.</P><P></P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Fri, 07 Feb 2014 13:55:27 GMT https://community.cisco.com/t5/network-security/ipsec-peering-phase-i-parameter/m-p/2467563#M270101 Marius Gunnerud 2014-02-07T13:55:27Z https://community.cisco.com/t5/network-security/ipsec-peering-phase-i-parameter/m-p/2467564#M270103 <HTML><HEAD></HEAD><BODY><P> Hi All,</P><P></P><P>Hi,</P><P></P><P>Pls find the curretn capture</P><P></P><P></P><P></P><P></P>2 IKE Peer: &lt;<IP address="">&gt;<P></P><P>Type : L2L Role : initiator </P><P>Rekey : no State : MM_ACTIVE </P><P>Encrypt : 3des Hash : MD5 </P><P>Auth : preshared Lifetime: <STRONG>28800<BR /></STRONG></P><P>Lifetime Remaining: <STRONG>5984</STRONG></P><P><STRONG> </STRONG><STRONG> </STRONG></P><P><STRONG>Pls confirm , whether after 5984Sec my vpn tunnel will be down / IPsec tunnel will be down &amp; up</STRONG></P><P><STRONG>In case Yes, what will be the erro-code in that case</STRONG></P><P></P><P><STRONG>Br/Subhojit</STRONG></P><P></P></IP></BODY></HTML> Fri, 07 Feb 2014 14:04:48 GMT https://community.cisco.com/t5/network-security/ipsec-peering-phase-i-parameter/m-p/2467564#M270103 subhojithalder198 2014-02-07T14:04:48Z https://community.cisco.com/t5/network-security/ipsec-peering-phase-i-parameter/m-p/2467565#M270105 <HTML><HEAD></HEAD><BODY><P>The re-key will not cause any downtime.&nbsp; You will, however, experience downtime if you change the lifetime since the ASA will need to rebuild the tunnel using the new parameters.</P><P></P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Fri, 07 Feb 2014 14:07:39 GMT https://community.cisco.com/t5/network-security/ipsec-peering-phase-i-parameter/m-p/2467565#M270105 Marius Gunnerud 2014-02-07T14:07:39Z