04-30-2009 10:17 AM - edited 03-11-2019 08:25 AM
On the ASAs (8.x) when i creare a crypto map it automagically adds:
set security-association lifetime kilobytes 4608000
I have been able to change the number of kilobytes but have not been able to remove this setting entirely for tunnels where we do not want to have a lifetime based on kilobytes but rather only on time.
How do I remove this?
04-30-2009 10:38 AM
I don't have the same problem you are.
Try this:
no crypt map
crypt map
It may not let you do this while the tunnel is established though.
HTH,
John
04-30-2009 10:55 AM
I tried that...it didnt go anywhere. That is actually what they list in the documentation as a way to remove this setting...doesnt seem to work though.
04-30-2009 11:01 AM
I was able to reproduce it.
Type:
no ipsec security-association lifetime kilo
It sets a default, and it should remove it from your crypto map.
John
04-30-2009 11:06 AM
im lost...did it set it to the default (this is what I found) or did it remove it from the crypto map (this did not happen for me)
04-30-2009 11:08 AM
I removed my crypto map and recreated another one:
I had two lifetime settings in my crypto map after setting it, but I was able to remove the one that wasn't the default.
So if you set your lifetime to seconds, you should be able to remove you kb one with "no crypt map
John
04-30-2009 11:15 AM
interesting, was this in 8.x? I will have to try that.
Maybe my lifetime in seconds was still at the default setting when i was trying to remove the kb one...
04-30-2009 11:17 AM
When I run the ipsec security.... it automatically adds it to my existing crypto maps. I still couldn't remove it from the crypto map with "no crypto...", but I could remove it with "no ipsec security...."
And I'm running 8.0(3) on mine.
HTH,
John
04-30-2009 10:42 AM
Chris
I do not believe that there is an option to remove the kilobits lifetime. You can set it to a very high value (2147483647 K on my ASA) to reduce the chance that it will be exceeded. But I do not believe that you can remove it.
It is a basic part of the specification of IPSec. The thought behind it is similar to the thought behind the time based lifetime: the longer the Security Association uses the same keys (or the more data is transmitted using the same keys) the better chance some intruder has of breaking the keys. Why would you want to remove this protection.
HTH
Rick
04-30-2009 11:02 AM
I am pretty sure 6.x did not have this enabled by default and as far as I know there were no security compromises as a result. I think setting either the time or the KB is sufficient security.
I just built a tunnel with someone and they had a preference to not use the KB lifetime and only use the time lifetime. I had no problem with this since i think the KB lifetime is not necessary but I was unable to meet their requested settings and had to make them add a KB lifetime.
Also worth noting the KB lifetime set by default is greater than the maximum KB lifetime on checkpoint firewalls...so if you are building a VPN to a CP you have to change this setting....
Generally speaking I would rather not have something set if I dont know why it is needed and if its value was arbitrarily chosen....just one more thing to cause problems.
04-30-2009 11:03 AM
Oh, and to change your default, you can type:
ipsec security-association lifetime seconds
HTH,
John
04-30-2009 11:15 AM
Try this:
no ipsec security-association lifetime kilobytes
That should remove it from your crypto map and then you can specify in your map what you want.
Let me know, I'm curious =)
John
04-30-2009 06:14 PM
Chris
You and John are discussing whether you can get the statement to not show up in the config file. Given the Cisco practice that default values generally do not show up in the running config, making it not show in the running config is not necessarily the same as not having it active.
I have never done a show crypto map that there was not a crypto lifetime in kilobytes. I do not believe that Cisco gives you the option to disable lifetime in kilobytes.
HTH
Rick
06-13-2019 07:53 AM
Old thread but was having this same question and found that you can set the lifetime to unlimited.
set security-association lifetime kilobytes unlimited
configure mode commands/options:
<10-2147483647> Security association duration in kilobytes
unlimited Disable data rekey
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide