Hi cisco8887,To answer your

cisco8887 · ‎11-12-2015

Hi Guys,

phase 1 life time is mandatory, right ? I think it is as if not specified the tunnel won't come up or let me rephrase if not specified on one side and specified on another side to a different value from the default.

ipsec does use the lifetime and kb which ever reached sooner, right ? if you specify a conflicting value between two ASAs the lower of the two is picked and it does not have to match, right ?

this means if phase 1 lifetime is 8 hours and ipsec time is not specified it uses 1 hour or 4.5Gb ( default values).

this means the ipsec tunnel will be torn down 8 times before phase 1 is and then when phase 1 is rekeyed then both phase 1 and 2 are rekeyed, right ?

when you type "show vpn-sessiondb l2l" and see the following output , does the duration refer to the time up since last rekey and login time refers to when it was initially brought up ?

if so the

Connection   :x.x.x.x
Index        : 4122                   IP Addr      : x.x.x.x
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)3DES IPsec: (2)AES256
Hashing      : IKEv1: (1)SHA1 IPsec: (2)SHA1
Bytes Tx     : 1770051                Bytes Rx     : 1819111
Login Time   : 16:36:31 GMT Thu Nov 6 2015
Duration     : 0h:27m:07s

many thanks

Aram

Dinesh Moudgil · ‎11-12-2015

Hi cisco8887,

To answer your question,Login time means when the tunnel was established and Duration means the time elapsed since the tunnel was negotiated initially.

To add further info, if you wish to see the remaining lifetime values, use the command
"show vpn-sessiondb detail l2l "

Regarding lifetime negotiation, the gist of the matter is in this snippet:

Here is the reference article:
http://book.soundonair.ru/cisco/ch13lev1sec4.html

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Cisco VPN tunnel rekey time