https://community.cisco.com/t5/network-security/crypto-ipsec-security-association-commands/m-p/3756933#M8600 <P>I think I'm starting to understand.</P><P>&nbsp;</P><P>I think these global commands must be in the ASA as preconfigured default values.</P><P>I see, for example, the pmtu-aging command is showing on a new ASA device show run, despite not being configured manually.</P><P>&nbsp;</P><P>The lifetime seconds 3600 and the kilobytes is not showing up on show run on this device.&nbsp; That could because this device is newer and it doesn't show up in show run on this device, but does on the old one I pulled the configs from.&nbsp; I do know that 3600 is default, so that makes sense.&nbsp; I'm not sure&nbsp;if the 102400000 kilobytes is default but probably.&nbsp; Can anyone confirm any of this?</P><P>&nbsp;</P><P>Is there a way to check what the default global lifetime values actually are on the device if show run does not show them?&nbsp;&nbsp;</P><P>&nbsp;</P><P>Again, this particular device does show pmtu-aging infinite, so at least I know for sure that is a device default config.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Also, what is pmtu-aging used for?&nbsp;&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 03 Dec 2018 16:21:07 GMT Waterbird 2018-12-03T16:21:07Z https://community.cisco.com/t5/network-security/crypto-ipsec-security-association-commands/m-p/3756150#M8595 <P>I've got an ASA 5506-X with some the following commands on it from a previous administrator:</P><P>&nbsp;</P><P>crypto ipsec security-association lifetime seconds 3600</P><P>crypto ipsec security-association lifetime kilobytes 102400000</P><P>crypto ipsec security-association pmtu-aging infinite</P><P>&nbsp;</P><P>I already configured a VPN using ikev1, and these commands were not needed for that configuration.</P><P>&nbsp;</P><P>My question is;&nbsp; Are these commands fragments left over from another ikev1&nbsp;configuration,&nbsp;an ikev2 configuration, another version, or are these commands used extraneously to all three typical configurations?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Feb 2020 16:31:52 GMT https://community.cisco.com/t5/network-security/crypto-ipsec-security-association-commands/m-p/3756150#M8595 Waterbird 2020-02-21T16:31:52Z https://community.cisco.com/t5/network-security/crypto-ipsec-security-association-commands/m-p/3756206#M8598 Hi<BR /><BR />These are phase 2 global default lifetime. If you've configured specific lifetime values on your crypto map, these global won't be used otherwise if not configured in your crypto map for specific peers, asa will use default values when negotiation occurs.<BR /><BR />The IPsec sa will expire when the first setting is matched (volume or time). Sat, 01 Dec 2018 05:20:32 GMT https://community.cisco.com/t5/network-security/crypto-ipsec-security-association-commands/m-p/3756206#M8598 Francesco Molino 2018-12-01T05:20:32Z https://community.cisco.com/t5/network-security/crypto-ipsec-security-association-commands/m-p/3756933#M8600 <P>I think I'm starting to understand.</P><P>&nbsp;</P><P>I think these global commands must be in the ASA as preconfigured default values.</P><P>I see, for example, the pmtu-aging command is showing on a new ASA device show run, despite not being configured manually.</P><P>&nbsp;</P><P>The lifetime seconds 3600 and the kilobytes is not showing up on show run on this device.&nbsp; That could because this device is newer and it doesn't show up in show run on this device, but does on the old one I pulled the configs from.&nbsp; I do know that 3600 is default, so that makes sense.&nbsp; I'm not sure&nbsp;if the 102400000 kilobytes is default but probably.&nbsp; Can anyone confirm any of this?</P><P>&nbsp;</P><P>Is there a way to check what the default global lifetime values actually are on the device if show run does not show them?&nbsp;&nbsp;</P><P>&nbsp;</P><P>Again, this particular device does show pmtu-aging infinite, so at least I know for sure that is a device default config.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Also, what is pmtu-aging used for?&nbsp;&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 03 Dec 2018 16:21:07 GMT https://community.cisco.com/t5/network-security/crypto-ipsec-security-association-commands/m-p/3756933#M8600 Waterbird 2018-12-03T16:21:07Z https://community.cisco.com/t5/network-security/crypto-ipsec-security-association-commands/m-p/3756935#M8605 I just read that The PMTU aging time is used to change the lifetime of a PMTU entry in the cache. Mon, 03 Dec 2018 16:23:43 GMT https://community.cisco.com/t5/network-security/crypto-ipsec-security-association-commands/m-p/3756935#M8605 Waterbird 2018-12-03T16:23:43Z https://community.cisco.com/t5/network-security/crypto-ipsec-security-association-commands/m-p/3757896#M8609 <P>phase 1 default is 86400<BR />Phase 2 default is 3600</P><P>phase 1 config:<BR />crypto ikev1 policy 10&nbsp;<BR />encryption aes-192<BR />hash sha<BR />authentication pre-share<BR />group 5<BR />lifetime 86400</P><P>phase 2 optional paramaters:<BR />crypto map vpnmap 5 set security-association lifetime SECS<BR />crypto map vpnmap 5 set security-association lifetime kilobytes 102400000</P><P>these extra parameters are sometimes needed if they are set to specific values at remote end - eg. you will have to configure for s2s vpn to azure</P><P>could also try show run all | include abc&nbsp; &nbsp; &nbsp;- might work</P><P>regards, mk</P> Tue, 04 Dec 2018 23:39:52 GMT https://community.cisco.com/t5/network-security/crypto-ipsec-security-association-commands/m-p/3757896#M8609 mkazam001 2018-12-04T23:39:52Z