Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2255
Views
0
Helpful
4
Replies

IPSec lifetime configuration - FDM

Go to solution
ivan.kusturic
Level 1
Level 1

‎10-28-2019 07:05 AM - edited ‎02-21-2020 09:38 AM

Hello everybody,

I'm trying to find out where to specify IKE Phase 2 Lifetime duration (IPSec lifetime)? Under objects, you can only define lifetime for IKE Policies - Phase 1.

Software version is 6.3 and configuration is being done via FDM. Appliance is FirePower 2110.

Thanks.

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-28-2019 07:24 AM

Unfortunately the necessary command is not supported in FDM - even when using Flexconfig.

Reference:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo91921/?rfs=iqvred

The BugID says it affects through 6.4.  I just verified that even my 6.5 FTD device (managed by FDM) continues to blacklist the command.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-28-2019 07:24 AM

Unfortunately the necessary command is not supported in FDM - even when using Flexconfig.

Reference:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo91921/?rfs=iqvred

The BugID says it affects through 6.4.  I just verified that even my 6.5 FTD device (managed by FDM) continues to blacklist the command.

0 Helpful

Go to solution
ivan.kusturic
Level 1
Level 1
In response to Marvin Rhoads

‎10-28-2019 07:35 AM - edited ‎10-28-2019 07:45 AM

Hello Marvin,

Thank you for the reply. Is there any way to configure this? And what is the default value used by FirePower for lifetime in Phase 2?

Btw, I'm really surprised with this information. IPsec lifetime is one of the basic configuration parameters for IKE protocol.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ivan.kusturic

‎10-28-2019 07:48 AM

It can be configured if you switch to FMC management. However you cannot configure it via FXOS or Lina CLI.

You're right it's a pretty basic setting. I keep pushing Cisco on achieving feature parity for basic things like this between ASA and FTD - no matter what management platform is used.

No excuse, but by way of explanation I'm told it's an architectural issue since FMD (and CDO) only support settings for which there is an API while FMC interacts with the Lina and clish running-configs directly. Cisco continues to enhance the API with every new release but it's still not where it needs to be.

0 Helpful

Go to solution
ivan.kusturic
Level 1
Level 1
In response to Marvin Rhoads

‎10-28-2019 08:01 AM - edited ‎10-28-2019 12:23 PM

Marvin, thank you very much for the answer and explanation.

Regards,

Ivan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card