On the Cisco ASR's, there is an option to disable the security association Lifetime Kilobytes all together and just use the secs.
http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c3.html#wp2944599527
My question is whether this needs to be disabled on both sides of the iPSEC tunnel for it to work correctly or will doing it just on one side work? We are seeing a potential issue due to this
Also, see highlighted in below output that the Kb value on the remote end is different from the Kb value on the local Device. While the Lifetime secs is set manually on the policy map, the global value is being used for the Kilobytes value.
My question is whether the Kilobytes value is counted globally for all tunnels or for each tunnel independently? If it is counted independently for each tunnel, im not sure why the Kb value is different remotely and locally for the same traffic flowing onto the tunnel on each side.
inbound esp sas:
spi: 0xE7145CFD(3876871421)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3123, flow_id: :1123, sibling_flags 80000040, crypto map: Tunnel4-head-0
sa timing: remaining key lifetime (k/sec): (3632046/77141)
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
xxxxxxxxxxxxx
in use settings ={Tunnel, }
conn id: 3124, flow_id: :1124, sibling_flags 80000040, crypto map: Tunnel4-head-0
sa timing: remaining key lifetime (k/sec): (4586197/77141)
IV size: 16 bytes
replay detection support: Y replay window size: 512
Status: ACTIVE
outbound ah sas:
outbound pcp sas: