Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5799
Views
5
Helpful
4
Replies

crypto ipsec security-association commands

Waterbird
Level 1
Level 1

‎11-30-2018 03:41 PM - edited ‎02-21-2020 08:31 AM

I've got an ASA 5506-X with some the following commands on it from a previous administrator:

 

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 102400000

crypto ipsec security-association pmtu-aging infinite

 

I already configured a VPN using ikev1, and these commands were not needed for that configuration.

 

My question is;  Are these commands fragments left over from another ikev1 configuration, an ikev2 configuration, another version, or are these commands used extraneously to all three typical configurations?

 

 

0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎11-30-2018 09:20 PM

Hi

These are phase 2 global default lifetime. If you've configured specific lifetime values on your crypto map, these global won't be used otherwise if not configured in your crypto map for specific peers, asa will use default values when negotiation occurs.

The IPsec sa will expire when the first setting is matched (volume or time).

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Waterbird
Level 1
Level 1
In response to Francesco Molino

‎12-03-2018 08:21 AM

I think I'm starting to understand.

 

I think these global commands must be in the ASA as preconfigured default values.

I see, for example, the pmtu-aging command is showing on a new ASA device show run, despite not being configured manually.

 

The lifetime seconds 3600 and the kilobytes is not showing up on show run on this device.  That could because this device is newer and it doesn't show up in show run on this device, but does on the old one I pulled the configs from.  I do know that 3600 is default, so that makes sense.  I'm not sure if the 102400000 kilobytes is default but probably.  Can anyone confirm any of this?

 

Is there a way to check what the default global lifetime values actually are on the device if show run does not show them?  

 

Again, this particular device does show pmtu-aging infinite, so at least I know for sure that is a device default config.  

 

Also, what is pmtu-aging used for?  

 

 

0 Helpful

Waterbird
Level 1
Level 1
In response to Waterbird

‎12-03-2018 08:23 AM

I just read that The PMTU aging time is used to change the lifetime of a PMTU entry in the cache.
0 Helpful

mkazam001
Level 3
Level 3
In response to Waterbird

‎12-04-2018 03:39 PM

phase 1 default is 86400
Phase 2 default is 3600

phase 1 config:
crypto ikev1 policy 10 
encryption aes-192
hash sha
authentication pre-share
group 5
lifetime 86400

phase 2 optional paramaters:
crypto map vpnmap 5 set security-association lifetime SECS
crypto map vpnmap 5 set security-association lifetime kilobytes 102400000

these extra parameters are sometimes needed if they are set to specific values at remote end - eg. you will have to configure for s2s vpn to azure

could also try show run all | include abc     - might work

regards, mk

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card