cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1338
Views
10
Helpful
8
Replies

Ask about Associaton Lifetime

Hi Guys,

 

I have some question about the lifetime association, I have work with AWS VPN L2L and our tunnel is already up.

but every 1 hour the tunnel state is down, is this because i set the lifetime association 3600 ? and what if i changed the lifetime association to be longer is that possible or not? there is any problem after i changed it?

 

Your respond is needed

 

Thank you

8 Replies 8

in version ikev1 if the time values of phase 1 are different on both routers/firewalls than the lower value always have a win.   
lifetime association, This is the lifetime of the keys that the tunnel uses to encrypt data.
The time and data limits are there to protect the integrity of the keys used to encrypt you data.
The data limit is there so that no part of the key is used twice.
I just leave mine set as default.
8 Hours
460800 KBytes
When these timers run out the tunnel negotiates a new key. If you have activity through the tunnels you shouldn't even notice when these timers expire.

please do not forget to rate.

Hi Sheraz,

 

I still don't get it, is there any issue if i change the lifetime association? and when i set it 3600 second, it means every 1 hour the vpn generated a new key and make some traffic state down for a while?

 

Thank you for your attention

can you make sure what other side is configured and match both side values.

please do not forget to rate.

Hi Sheraz,

 

I will check it later in AWS, what happen if the value is different? i need information why is traffic state down periodcly 1 hour like i set on association lifetime 

 

Thank you for your help

Hi Sheraz,

 

I got problem like in this pic, the traffic state is periodicly (1hour) change to 0,5. is this happen due to the association lifetime 3600 seconds? or it's normal when ipsec generated new key 

 

Thank you for your kindly help

Capture AWS.PNG

do you see the tunnel going down too? when the key exchange happens the tunnel does not go down. could you share you config file. this behavior is not normal. you using ASA or its router? since when this happening?

please do not forget to rate.

Hi Sheraz,

 

Thank you for your response,

What kind config do you want? or you just write the command what do you want here?

this just happen we still investigate and what happen when i set a lifetime association longer ? is there any problem on security if i changed longer?

 

Thank you

this just happen we still investigate and what happen when i set a lifetime association longer ? is there any problem on security if i changed longer?

 

If you are security company or your company deal with a highly sensitive information between two remote side than its a good practice to rekey the lifetime association in short period of time. but if its not a very sensitive data than you can leave it as default. its all depend on your company security policies.

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: