05-04-2020 03:09 AM
Hi Guys,
I have some question about the lifetime association, I have work with AWS VPN L2L and our tunnel is already up.
but every 1 hour the tunnel state is down, is this because i set the lifetime association 3600 ? and what if i changed the lifetime association to be longer is that possible or not? there is any problem after i changed it?
Your respond is needed
Thank you
05-04-2020 03:37 AM - edited 05-04-2020 03:45 AM
in version ikev1 if the time values of phase 1 are different on both routers/firewalls than the lower value always have a win.
lifetime association, This is the lifetime of the keys that the tunnel uses to encrypt data.
The time and data limits are there to protect the integrity of the keys used to encrypt you data.
The data limit is there so that no part of the key is used twice.
I just leave mine set as default.
8 Hours
460800 KBytes
When these timers run out the tunnel negotiates a new key. If you have activity through the tunnels you shouldn't even notice when these timers expire.
05-04-2020 03:45 AM
Hi Sheraz,
I still don't get it, is there any issue if i change the lifetime association? and when i set it 3600 second, it means every 1 hour the vpn generated a new key and make some traffic state down for a while?
Thank you for your attention
05-04-2020 04:20 AM
can you make sure what other side is configured and match both side values.
05-04-2020 04:40 AM
Hi Sheraz,
I will check it later in AWS, what happen if the value is different? i need information why is traffic state down periodcly 1 hour like i set on association lifetime
Thank you for your help
05-04-2020 10:03 AM
Hi Sheraz,
I got problem like in this pic, the traffic state is periodicly (1hour) change to 0,5. is this happen due to the association lifetime 3600 seconds? or it's normal when ipsec generated new key
Thank you for your kindly help
05-04-2020 01:40 PM
do you see the tunnel going down too? when the key exchange happens the tunnel does not go down. could you share you config file. this behavior is not normal. you using ASA or its router? since when this happening?
05-04-2020 06:05 PM
Hi Sheraz,
Thank you for your response,
What kind config do you want? or you just write the command what do you want here?
this just happen we still investigate and what happen when i set a lifetime association longer ? is there any problem on security if i changed longer?
Thank you
05-05-2020 11:17 AM
this just happen we still investigate and what happen when i set a lifetime association longer ? is there any problem on security if i changed longer?
If you are security company or your company deal with a highly sensitive information between two remote side than its a good practice to rekey the lifetime association in short period of time. but if its not a very sensitive data than you can leave it as default. its all depend on your company security policies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide