11-30-2018 03:41 PM - edited 02-21-2020 08:31 AM
I've got an ASA 5506-X with some the following commands on it from a previous administrator:
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
I already configured a VPN using ikev1, and these commands were not needed for that configuration.
My question is; Are these commands fragments left over from another ikev1 configuration, an ikev2 configuration, another version, or are these commands used extraneously to all three typical configurations?
11-30-2018 09:20 PM
12-03-2018 08:21 AM
I think I'm starting to understand.
I think these global commands must be in the ASA as preconfigured default values.
I see, for example, the pmtu-aging command is showing on a new ASA device show run, despite not being configured manually.
The lifetime seconds 3600 and the kilobytes is not showing up on show run on this device. That could because this device is newer and it doesn't show up in show run on this device, but does on the old one I pulled the configs from. I do know that 3600 is default, so that makes sense. I'm not sure if the 102400000 kilobytes is default but probably. Can anyone confirm any of this?
Is there a way to check what the default global lifetime values actually are on the device if show run does not show them?
Again, this particular device does show pmtu-aging infinite, so at least I know for sure that is a device default config.
Also, what is pmtu-aging used for?
12-03-2018 08:23 AM
12-04-2018 03:39 PM
phase 1 default is 86400
Phase 2 default is 3600
phase 1 config:
crypto ikev1 policy 10
encryption aes-192
hash sha
authentication pre-share
group 5
lifetime 86400
phase 2 optional paramaters:
crypto map vpnmap 5 set security-association lifetime SECS
crypto map vpnmap 5 set security-association lifetime kilobytes 102400000
these extra parameters are sometimes needed if they are set to specific values at remote end - eg. you will have to configure for s2s vpn to azure
could also try show run all | include abc - might work
regards, mk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide